Polish Hackers Repaired Trains the Manufacturer Artificially Bricked. Now The Train Company Is Threatening Them

The situation is a heavy machinery example of something that happens across most categories of electronics, from phones, laptops, health devices, and wearables to tractors and, apparently, trains. In this case, NEWAG, the manufacturer of the Impuls family of trains, put code in the train’s control systems that prevented them from running if a GPS tracker detected that it spent a certain number of days in an independent repair company’s maintenance center, and also prevented it from running if certain components had been replaced without a manufacturer-approved serial number.

The problem was so bad that an infrastructure trade publication in Poland called Rynek Kolejowy picked up on the mysterious issues over the summer, and said that the lack of working trains was beginning to impact service: “Four vehicles after level P3-2 repair cannot be started. At this moment, it is not known what caused the failure. The lack of units is a serious problem for the carrier and passengers, because shorter trains are sent on routes.”

Very good article, I’d recommend reading it. I hope the court rules against NEWAG and sets a precedent for right to repair.

MamboGator,
@MamboGator@lemmy.world avatar

When we’re at the point where “criminals” are the ones acting ethically to undo the damage caused by those in power, I have to wonder how long until society collapses and is forced into another major restructure.

boreengreen,

The word hacker doesn’t mean criminal. Hacking is not a crime unless you do something illegal with the skillset you have. They are just coders and reverse engineers. A hack usually means a quick fix.

Engineer,

In this case, if it is illegal, it definitely shouldn’t be.

MamboGator,
@MamboGator@lemmy.world avatar

The word hacker doesn’t mean criminal.

Never claimed otherwise. Unauthorized access of a corporate system, especially a control system for public transit, probably qualifies as illegal even if the intention was good.

fallingcats,

Then why’d you call them criminals

MamboGator,
@MamboGator@lemmy.world avatar

Unauthorized access of a corporate system, especially a control system for public transit, probably qualifies as illegal even if the intention was good.

It’s okay. Reading comprehension is a hard skill to master.

RubberElectrons,
@RubberElectrons@lemmy.world avatar

Moron, note the air quotes. They’re using the term in a way to make fun of how the media consistently uses the word.

Isoprenoid,

I have to wonder how long until society collapses

We’ll just hack it back into working order.

MamboGator,
@MamboGator@lemmy.world avatar

I have no doubt that those in charge now will sink their claws in so that they still come out ahead in whatever system comes next. When you abolish the monarchy, the rich become politicians.

baggins,

The GPS coordinates are especially damning. Also funny that the manufacturer is claiming they made the trains unsafe, since obviously once they uncovered the unlock code they can just use it on unmodified trains.

fallingcats,

They did say the manufacturer removed the override key combination

grey,

Man, just go back to normal trains and now computers with attached trains. Can’t hack or remotely kill what doesn’t have a computer in it.

RubberElectrons,
@RubberElectrons@lemmy.world avatar

Erm… There’s a lot going on inside an electrically powered train. Even a diesel engine has a computer managing fuel flow and diagnostics.

More importantly, you need networked computers to handle automatic train safety systems, a requirement in the EU from what I understand, after several notable rail crashes up to the 70’s.

Nationalgoatism,

It’s ridiculous, not only the manufacturers egregious behavior, but also the fact that there is software required to operate a vehicle without a mechanical override. If and when I am forced to own a car with such technology my first move will be to disconnect the entire module and install a proper starting and control system.

activistPnk, (edited )

The mere fact that the manufacturer had a remote kill switch is the safety issue that should have a big spotlight.(edit: this is not the case - see the reply below) What if a malicious hacker decides to trigger that kill switch while the train is loaded with people and at a sensitive moment (e.g. on bridge/cliff with a huge drop).

If the kill switch were in place for dealing with hi-jackers, perhaps fair enough. But having it for the purpose of business protectionism is an entirely reckless safety risk.

There’s an overlooked failure here: why doesn’t the Polish transport authority have a clause in their procurement contracts that bans trains with remote-control kill switches that are not under user control? And why wasn’t the code reviewed to catch that in advance? The hackers say they did not alter the code, which somewhat implies that the source code might have been available for inspection.

kilgore_trout,

In the talk they gave yesterday night, Dragon Sector hackers clarified that they are not aware of any remote control available to the manufacturer.

The locks were implemented inside the code both when the trains were first serviced to railway operators by the manufacturer, and any time the manufacturer was given direct on-hand access.

See here to watch their speech: feddit.it/post/4391905

activistPnk,

Thanks for the link. Indeed you are correct. Apparently the only comms involved was the train signalling to the manufacturer that the lock was triggered.

lemann,

I hope this NEWAG gets raked over the coals for this.

It’s outrageous to hold public infrastructure at ransom because the equipment spent X days in an independent repair shop - and pretty invasive to have DRM monitoring the train’s GPS location, and in some cases live reporting these back to the manufacturer to facilitate a remote lockdown.

Not to mention pushing an update to flag up a copyright warning on a screen in the drivers’ cab while the train is running 🤦‍♂️

I commend the engineer at the independent repair facility that had the idea to have hackers pick apart the train’s control unit, and the rest of the team for agreeing to it.

FiskFisk33,

Modifying the software of a device YOU OWN, should never be illegal in and of itself.

Engineer,

Absolutely. Maybe an exception for video game multiplayer cheating, but that’s the only thing I can think of. Any other situation I can think of just enriches the computer to the massive detriment of the user.

Saeculum,

Is multiplayer cheating illegal? They have the right to kick you off their servers, but I’d be surprised if it’s a criminal offense or anyone has ever had a case brought against them.

Engineer,

Yeah I don’t think it is. I was just trying to think of edge cases.

JohnBrownNote,

i’d be ok with videogame cheaters being executed by the state

Rom,
@Rom@hexbear.net avatar

olimar-point pikmin-carry-l gamer-gulag pikmin-carry-r barbara-pit

lunarul,

No, that shouldn’t be illegal either. Against the rules of a server and getting you kicked out of that server, sure.

Akrenion,

Force modified clients in a seperate lobby. Mods can be fun and extend shelflife of games immensly.

TheHobbyist,

And allow selfhosting servers for (at least after) when the publisher/developer stops supporting the game.

JohnBrownNote,

abandoned software should be public domain, including server code and the tools for maintaining and updating it.

really the workers should own the means of production and all that stuff should be public from hello world, but we’re talking about some transitional steps i guess.

TheHobbyist,

I agree and I wish, I think the tricky part would be defining the criteria to what constitutes “abandomware”. Is it the stop of the sale? The shutdown of the attestation servers, the shutdown of the multiplayer servers (and in that case what about single player games)? I can only imagine the creativity of publishers pretending their game is not abandonware yet it practically being so.

JohnBrownNote,

yeah it’s a little tricky to put that sentiment into law… and to some extent we wouldn’t need to if copyright law wasn’t just disney’s regulatory capture.

Rom,
@Rom@hexbear.net avatar

“Our 15 year old game has a single password protected server running that an employee connects to a few times a year so technically it’s not abandoned and we don’t have to make the code public domain, checkmate”

FiskFisk33,

cheating is a problem but, actually making it illegal? nah man, I think that’s too far.

huf,

which is why they’re trying to move to a model where you own nothing

WindowsEnjoyer,

I am not against you, but in case of warranty - how do you draw a line of where is user’s fault, and where is manufacturers fault?

FiskFisk33, (edited )

well, it doesn’t have to be illegal to void warranties. If you for example brick your device through software shenanigans you don’t expect the maker to fix it for free for you, but you don’t expect them to sue you either!

eskimofry,

You gotta attach some base flat fee to send out the engineers that would deter fraudulent claims?

  • All
  • Subscribed
  • Moderated
  • Favorites
  • right2repair@discuss.tchncs.de
  • DreamBathrooms
  • InstantRegret
  • ethstaker
  • magazineikmin
  • GTA5RPClips
  • rosin
  • modclub
  • Youngstown
  • ngwrru68w68
  • slotface
  • osvaldo12
  • kavyap
  • mdbf
  • thenastyranch
  • JUstTest
  • everett
  • cubers
  • cisconetworking
  • normalnudes
  • Durango
  • anitta
  • khanakhh
  • tacticalgear
  • tester
  • provamag3
  • megavids
  • Leos
  • lostlight
  • All magazines
    •