I am curious what other industries are likely to have booby-trapped software which has not yet been discovered. It was only through some weird circumstances + dedicated investigation by the hacker group (I thought they were given months of access to the hardware) that this was uncovered. Most organizations do not have the resources to investigate equipment behaving oddly.
For example, if HP programs printers to start failing after N pages printed, would that ever be uncovered?
Is there some kind of whistleblower law that would allow someone with knowledge to come forward?
A crucial part is the contract wording regarding what exactly was sold when NEWAG sold the trains to the operator - namely, the documentation for maintenance and repair was supposed to be complete. As in, should NEWAG encounter a critical existence failure, it should still be possible for a third party to service the trains so long as parts could be acquired, and in worst case, start working on replacement parts.
With most other right-to-repair cases there's way less recourse. With trains in Europe you have legal rules that disallow hiding critical maintenance data behind trade secrets, for example.
This is quite the insight - we’re talking about something purchased in public tender process by a public entity. The train is almost more like a commodity and less like a product. Or „Train-as-a-service” even perhaps?
My suspicion is that a lot of this happens only 99% of cases never see light of day due to NDA-s and settlements
From personal experience it seems relatively common in the embedded-esque software space, although not always quite as sophisticated as seen here.
> Is there some kind of whistleblower law that would allow someone with knowledge to come forward?
Depends on where you live, unfortunately anywhere with 'stong' IP laws you aren't allowed to patch anything. Usually reverse engineering analysis is still fine, although if there is a contract saying you're not allowed to you could be screwed anyway.
In the train case the locks were specifically for anti-competitive purposes, and so they can whistle-blow for that; and I think in the general case you can sue for misleading dealings/false advertising/etc but not for anything specific to the software locks/traps.
> unfortunately anywhere with 'stong' IP laws you aren't allowed to patch anything.
I am not aware of any IP laws that prohibit patching, except for circumventing copy protection (DMCA). There are plenty of laws prohibiting distributing patches, but making and using them are not commonly prohibited AFAIK.
You can technically distribute patches, a good example of what is possible is SNES ROM hacks, where only the deltas are be distributed, and the end-user provides their own 'legal' copy; this avoids the issue of redistributing copyrighted content.
However in the EU you aren't allowed to use information obtained through "decompilation" for the purpose development/production of a substantially similar program. Which means you cannot patch any program (exception exists for the purpose of interoperability), without risking some legal liability.
What got me was the geofencing for the trains to break down when in competitors workshops. Was apparently only found in 2 out of 30 trains, but still there is no plausible deniability here at all.
> For example, if HP programs printers to start failing after N pages printed, would that ever be uncovered?
Maybe. The problem with consumer devices is that they're much better protected from their end users, so it's harder to dump the firmware to reverse engineer it. Firmware update files, while you can easily get your hands on them, are usually encrypted. Sometimes it's so bad that the best course of action is to find an RCE vulnerability and exploit it.
Though, with inkjet printers being as popular in some parts of the world as they are for some reason, and being as annoying as they are, I'm surprised no one has done that yet.
According to this thread [1] (and an unrelated one I can't find anymore) some printer manufacturer region lock their printers accepted cartridges, which makes the product useless in some circumstances just because of your location.
I think the incentive is money. 1 train is worth much money, a single printer is not. Most people won't have any issue with the printer and if so, loss is low. If just 1 train has this issue, loss might be huge.
My parents are currently bitten by this - they can't find cartridges for their HP printer and I cannot send them any because they wouldn't match the region.
HP does this. I'm not sure if you can reset the value after moving, but the cartridges have a "Region" value.
The cartridge region is printed per cartridge while printing "print quality" reports which prints full-nozzle lines to see whether there are any persistently clogged nozzles on your printhead.
It is actually quite common in hellish world of printers, but with a bit more plausible deniability. "Our printed page counter indicated the cartridge/drum needs replacement, we couldn't know it was half full / it is all to preserve maximum quality" - so typical bullshit, that people somehow already got used to. The consumer electronic is already crazy, I mean people mod-chipped Keurig to use "pirated" coffee.
I've also seen a report about ink printers failing without any proper error message because of a full sponge. (Where all the ink goes when you clean the heads.) If you disassemble the printer and replace the sponge, it magically starts working again.
That was about HP's ink subscription service, "HP Instant Ink", where your printer stops printing if you stop renewing your ink subscription and try to print with the subscription supplied cartridge.
I'm on my 4th HP Inkjet, and none of them did anything remotely similar. One worn down (which was a bottom of the barrel model), the two of them was donated, and AFAIK one is still pretty operational.
I'm regularly using my Deskjet Ink Advantage 4515, which is ~10 years old at this point.
As a native English speaker: I'm curious why not? There are certainly other words and phrases which could fit just as well (concerned, confused, find incomprehensible, etc) but intimidated seems just as fine as any. Perhaps I've slogged through too many foreign slide deck presentations and simply have a particularly odd view now :p. It almost sounds as if you see a way to take this in a negative connotation though?
Yes. I usually take someone assuming I’m scared of something as a slight affront. It’s diminutive instead of using a word like unintelligible in this case.
Try to not frame general statements through the lens of your worst critics, and to actively give charity while interpretating messages from people who don't demonstrate harmful intent. I don't see anything hostile about someone claiming that those who might feel intimidation by a language they don't speak will feel at ease (because the primarily content is in their language). Assuming a negative intention on a message of seemingly good will should be a moment for you to pause and consider why you think that way, instead of conjuring up post-hoc reasoning to decipher a hidden hate message.
Not a comment on that parent comment per se (didn't read it as it's flagged), but in PL "intimidating" has much more negative connotations which makes the word a tad hard to translate (e.g. intimidating → zastraszający == "trying to scare sm/sb"). Things like this might slip if EN is not your first language.
> Assuming a negative intention on a message of seemingly good will should be a moment for you to pause and consider why you think that way, instead of conjuring up post-hoc reasoning to decipher a hidden hate message.
As a kid living in a German speaking country I had to deal with racism fairly regularly. I moved to the UK in my early 20s. I still remember the feeling of dread when I saw a nail salon asking for a premium for "nails (with polish)". I obviously knew what that meant, but for a split second I was pissed xd
Wow, it's a full hour presentation but time very well spent would be an understatement! This issue has been covered before, but only the rough outline compared to this talk.
I worked with PLCs for some time and the whole "a dozen different versions" rings a USBell for me.
if I Google newag plc programmer at linkedin, I promise you the number will be the same as the number of versions found in the trains, all branching away from one initial version by one initial programmer.
Ocassionally a fb gets exchanged on a USB stick, but the whole version controller magic never reaches the team.
Slight tangent, but I really looked forward to (and enjoyed!) the "This Year in Crypto" talks given by DJB and Tanja Lange at past C3s. It was a fun way for a non-cryptologist like me to keep track of all the major happenings in this field. Sadly they stopped giving them a few years back.
Does anyone know if there are similar end-of-year roundups that non-cryptologist s can follow to keep up to date?
GPS spoofing might be a solution when such problem occurs. Just make the electronics think, the train moves along equator at 30 mph. I assume the malicious software does not check if train moves on some tracks or just moves.
Once the lock condition evaluates to true, the lock bit flips and the train is locked forever (until the manufacturer brings the "magic wand" and unlocks it. It's a scam.
Wasn't mentioned in this talk, but was mentioned in publications earlier - if you attached another train of the same type to the locked one to try and tow it, the freshly attached train locked up too
Much more simple - just rewrite nvram to disable the blocks before returning a train. More effective - sue manufacturer because this whole affair is breach of contract.
Has Newag provided any evidence of their claim that this is a conspiracy by their competitor and the hacker group? Or is it literally just them saying "no we didn't"?
In various trains, over 20 versions of the compiled firmware with unique variants of the locking algorithm were found. And to make matters worse, the trains were found to have something that appears to be a GSM-to-CAN bridge. It isn't reverse engineered yet but AFAIK shouldn't be there and in the worst case may be a remote control backdoor.
Both these points were clarified in the audience questions - it's a UDP to CAN bridge so the Linux based passenger information system knows the state of the train. And only the Linux system is GSM connected (to get network announcements etc.), none of the firmwares were installed remotely, only when trains were sent back to the manufacturer physically.
Perhaps cases like this are good. Most people dont mind DRM at all, they couldnt even tell you what it is though their phones / cars / etc. are riddled with it.
A case like this involving a train that wont move is something that's easy to comprehend for the general public and is clearly utter bullshit.
Yes, this is a perfect example of what DRM is really about.
I'm a repair guy and I'm always trying to protect my customers against walled gardens, and what not. Talking about this article makes explaining right repair so much easier.
My concern is the changes they're making to bios in Consumer grade OEM Desktop and Laptops. With adding UEFI certificates to anti-theft software that is enabled by default people just don't understand what's really going on.
This article explains it beautifully. Thank you Newtag!
Shady business practices like that were popular in Poland in 1990s just after the iron curtain collapsed. It's great this emerged to public.
The funny thing is that prime minister of the former idiotic government was aware of that and did nothing. Law and justice mafia party is all about pacts, corruption and theft.
Polish Hackers that repaired DRM trains threatened by train company - https://news.ycombinator.com/item?id=38628635 - Dec 2023 (142 comments)
Polish train maker denies claims its software bricked competitor rolling stock - https://news.ycombinator.com/item?id=38570654 - Dec 2023 (2 comments)
Dieselgate, but for trains – some heavyweight hardware hacking - https://news.ycombinator.com/item?id=38567687 - Dec 2023 (293 comments)
Polish trains lock up when serviced in third-party workshops - https://news.ycombinator.com/item?id=38530885 - Dec 2023 (360 comments)