Polish Hackers Repaired Trains the Manufacturer Artificially Bricked. Now The Train Company Is Threatening Them

DacoTaco, 5 months ago (edited 5 months ago)

The person is doing a talk about it in hamburg, germany (37c3) next week. Its on my to watch list because that sounds hella interresting.

Edit : 37c3 list of talks : halfnarp.events.ccc.de/#dec115da17562cebafa9ba7a1…

khannie, 5 months ago

That actually does sound hella interesting. I’m saving your comment to try to remember but actually look it up in about two years when I scroll back though my saved posts.

YoorWeb, 5 months ago

youtube.com/

Holyginz, 5 months ago

Went to subscribe to it until I remembered i don’t speak German lol

example, 5 months ago

nearly all talks are either in English or have English translations. not sure if they’re available on YouTube but you should be able to find everything on media.ccc.de

isVeryLoud, 5 months ago

Time to learn!

verity_kindle, 5 months ago

Same, same.

helenslunch, 5 months ago

I’m saving your comment to try to remember their comment to try to remember to watch that.

DacoTaco, 2 months ago

Consider this a reminder :p

foyrkopp, 5 months ago

C3 talks are available online for quite some time after the actual event, so you might still be able to watch it then.

barsoap, 5 months ago

Where “quite some time” is “indefinite”. Proper archives go back to 2002, 19c3.

Takes some time for stuff to show up in the archives though as start+end get cut manually, while the congress is running there’s always an archive of raw steam dumps maybe that’s the one you mean.

threelonmusketeers, 5 months ago

Does Lemmy not have a “remind me” bot yet?

pwalker, 5 months ago

It’s 37c3, but thx for the hint. The talk is called Breaking “DRM” in Polish trains by Redford, q3k, MrTick

I will try to watch it on stage, unfortunately still no final schedule available

DacoTaco, 5 months ago

Fixed the edition number. I always forget what number we are at haha. I will not be on site, but i saved it in my planner : halfnarp.events.ccc.de/#dec115da17562cebafa9ba7a1…

barsoap, 5 months ago

The numbering got a bit messed up as there weren’t chaos covid congresses.

BloodSlut, 5 months ago

“We didn’t add a kill switch to our trains to force the use of our maintenance service, but fuck the hackers that removed the kill switch we didn’t implement, and the trains that were hacked and don’t have the kill switch we didn’t add should be removed from service.”

Th3D3k0y, 5 months ago

Dear Reader,

Regarding your recent free and non-profitable un-fucking of our problem, please use the honor system and manually refuck yourself.

Love, Technology Companies.

thefartographer, 5 months ago

Someone’s gonna figure out a horror movie for this called The Refucker

ASeriesOfPoorChoices, 5 months ago

Wasn’t free - they were paid to hack it.

But yeah.

pirat, 5 months ago

Could be free as in freedom, as opposed to free as in beer?

ASeriesOfPoorChoices, 5 months ago

But freedom isn’t free. Costs a buckofive.

pirat, 5 months ago

en.wikipedia.org/wiki/Gratis_versus_libre

ASeriesOfPoorChoices, 5 months ago

You fucking numpty.

www.youtube.com/watch?v=BVkTmnJkAN8

Jessvj93, 5 months ago

“And how dare those hackers go through all the trouble of finding those (literal) GPS coordinates of train maintenance centers not in our system to circumvent us getting more money.”

helenslunch, 5 months ago

This reminds me of the hacked McDonalds ice cream machines. Except the shitty manufacturers won that one.

damirK, 5 months ago

Sadly they will probably win this as well. Some claim there could safety concerns and it isn’t certified or could damage their brand… time for people’s manufacturing of products? Hehe

psud, 5 months ago

I think this one might go well. Company preventing a country’s trains from being serviced by a third party. I expect that train builder has already tanked their business, but it would be an interesting one to be litigated, the sort of case that can get the law changed

WallEx, 5 months ago

I’m not firm in polish law, do they have the same laws as in the USA? Because that’s what you’re comparing right?

Aceticon, 5 months ago

As far as I know, there is no such thing as DMCA provisions against working around software protection mechanisms in the EU and in fact at an EU level the direction is to increase ownership rights, not decrease them.

However depending on the contract the train company might not legally own those trains (for example, it’s structured as a Lease), but if the hackers can show proof that the train company authorized them to do those changes it would be a case against the train company, not the hackers.

Burn_The_Right, 5 months ago

But if the people controlled the means of production… that would be…

Aceticon, 5 months ago

This is an EU country, not the US.

Things like the DMCA provisions forbidding working around IP protection mechanisms (and software is copyrighted) don’t apply here.

IANAL (so take this it with a pinch), unless the trains are legally theirs rather than the train company’s, it’s not hacking, it’s just “software maintenance” and the only right this company has here is to withdraw product warranties because of “unauthorized changes”.

There might or not be a case against the train company (for example, if the contract forbade this or the train company tried to sell those trains onwards as if they were original) but not against the people who did the software changes on the trains when authorized by the owners of said trains.

damirK, 5 months ago

I assume EU has safety regulations and if a train suddenly loses its brakes they would be liable wouldn’t they? Now they can say someone has “hacked the train” and they can’t guarantee the brakes will work. I am not sure where the USA argument came from

Aceticon, 5 months ago (edited 5 months ago)

The responsability of circulating with a vehicle that abides by safety regulations is of the owners, not the makers.

You’ll notice that even in the consumer auto segment (which, since run-of-the-mill consumers are not expected to be “experts”, has lots of of ways to make sure that brand new cars are sold already pre-certified “road-worthy” because normal consumers don’t have the know-how to make sure of it themselves), the actual car owners still have the responsability of having a periodic inspection done to the car and repair those things that stop it from being road-worthy and they cannot circulate with it in a public road if it’s not compliant (at least that is the case in Europe).

Outside the consumer segment, I expect that the rules for trains are pretty similar to those for commercial aviation: the manufacturer has no responsability beyond a contractual one (i.e. the purchasing entity probably demands contractually that the vehicles they get comply with regulations, the parts they buy obbey certain specifications and maintenance done by a manufacturer-certified shop delivers a compliant vehicle) and all the regulatory responsability is in the hands of the owner (more specifically the “operator”, as for example for leased planes the airline doesn’t actually own them but they do operate them hence they’re the ones with regulatory responsabilities).

The USA argument comes from the anti-circunvention legislation for software being part of the DMCA law, said legislation giving rights to the makers of the software to stop changes to it even in devices they do not own. Where such legislation does not apply there is no law forbidding somebody doing whatever changes they want to software as long as they own the device containing said software or have the authorization of the owner of the device whose software they are changing - the only applicable legislation here is Copyright and that only limits the distribution of the software, not the changing of it.

It’s not at all unusual for Americans to argue that people can’t legally circumvent software protections even in devices they own, because that is indeed the case in their country thanks to the DMCA, but expecting that to be the case in Poland doesn’t make sense as the laws there are not at all the same as in the US.

damirK, 5 months ago

That’s a whole lot of energy spent based on completely incorrect assumptions about me or what I was saying so your argument can work. But sure whatever makes you feel like you are right.

Aceticon, 5 months ago

That’s a very weird take.

You don’t know me and went all weirdly personal full of assumptions about me and without making an actual argument.

Whatever is going on there, it’s all in your head.

simin, 5 months ago

the world’s not one’s to fix, learn to protect yourself.

whoisearth, 5 months ago

No the current model everywhere is to pay a vendor. I’m sure someone can get KPMG or Deloitte to fix the world.

andrewrgross, 5 months ago

That’s awesome. Man, fuck that company. Bricking a train? Outrageous.

Bizarroland, 5 months ago

Poland ought to ban that company from ever working or operating or selling any products inside of its country and any trains made by that company that are not currently owned by Poland should be prevented from traveling on the tracks that cross through Poland.

BearOfaTime, 5 months ago

Maybe make it the entire executive and senior management, rather than the company.

funkless_eck, 5 months ago

unfortunately they have a right wing government so it’s likely they’ll want more of this not less

Maggoty, 5 months ago

They just swore in the new Cabinet today. They still have a far right President and Judiciary to contend with but the legislature is a coalition of centrists and leftists now.

Aceticon, 5 months ago

I was wondering why Orban “left the room” when the EU Council voted for initiating membership negotiations with Ukraine (thus abstaining) rather than vote against it (and thus veto it) and thought that maybe he didn’t have Poland covering his back anymore (in the sense of stopping later reprisals if he blocked it), at least when it came to his pro-Russia posture.

Now given that change in Poland, I’m thinking it’s a much more far reaching thing and Hungary is now much closer to have their rights suspended as an EU Member.

Maggoty, 5 months ago

Yes, however there is still a natural resistance to kicking anyone out of a political entity. Just because nobody wants to start those conversations for fear of their name getting floated.

psud, 5 months ago

I feel like train operators will have heard of this, and will not be accepting that company’s tenders

SpookyUnderwear, 5 months ago

This is the kind of government intervention I can get behind. This story is so outrageous, it’s hard to believe it’s true.

vinhill, 5 months ago

Realistically, that would be quite an overreaction and the corporation does have valuable knowledge and skill in creating trains. But how great it would be if this were to cause open source code to be a requirement…

thefartographer, 5 months ago

Run by fucking criminals. We should brick them like they’re The Sticky Bandits

AlwaysNowNeverNotMe, 5 months ago

Better to brick them like The Cask of Amontillado.

pelotron, 5 months ago

Great idea, Marv.

vsh, 5 months ago

I thought white hat hackers only do their shitty CTF exercise everyday. Wouldn’t hacking a DRM’ed national train be a black hat interaction? I’d like to know if that company can press charges.

Adanisi, 5 months ago

Yes yes, how dare they unbrick public transportation infrastructure.

Fuck off.

vext01, 5 months ago

Depends on your definition of “ethical”

Lev_Astov, 5 months ago

If you RTFA, they were paid by the repair company who was paid by the private train operator to fix the train. In doing so, they reverse engineered the hardware/firmware and found the DRM added by the manufacturer to prevent the repair company from doing the repairs by bricking the train.

Aceticon, 5 months ago

If the train owner allowed it, it’s just maintenance that happens to affect software.

Hacking would be if it was not authorized by the owner.

Any maintenance not authorized by the train maker entitles them at most to suspend the Warranty.

firefly, 5 months ago (edited 5 months ago)

@btp

If anything perhaps everyone involved should sue the train manufacturer for bricking the train with their DRM nonsense.

"Dragon Sector" is an OG name for a hacker firm.

"we discovered a ‘workshop-detection’ system built into the train software, which bricked the trains after some conditions were met (two of the trains even used a list of precise GPS coordinates of competitors' workshops)."

That is an anti-trust violation du jure. I wonder what kind of anti-trust laws Poland has.

zockerr, 5 months ago

Every time I read about this kerfuffle, I am astounded by the sheer stupidity of the manufacturer. Even if they may be technically in the right here(I don’t know, since the contracts they have with the operator aren’t public), they effectively shoot themselves in the foot with this PR Desaster. Especially the various national rail operators across Europe will think twice about buying NEWAG, since these operators usually have their own maintenance and repair centers, and expect to service their rolling stock there. And those national operators still make up the lion’s share of the European rail market.

DSTGU, 5 months ago

This aint much of a problem. NEWAG operates almost exclusively on the internal market

maynarkh, 5 months ago

I sure hope that they become a political talking point where the government loses votes if they contract with them again.

arc, 5 months ago

Apparently there was some kind of gps geo fencing going on - that the software detected the train went into an uncertified repair yard and bricked the thing. So I assume the hackers just purged that info, or unset the flags that denoted the brick condition so as far as the train software was concerned it was operating normally.

It’s an interesting hack but there is a safety aspect to this too. A train is a complex machine that could go catastrophically wrong and kill a bunch of people. It’s not quite Boeing 737 levels of safety criticality but neither is it something that should be taken lightly with regards to service procedure or parts procurement. So the manufacturer were being dicks to brick the train. But the train operator using an unauthorised repairer who might not have access to, let alone follow the correct servicing procedures or parts is not good either.

yamanii, 5 months ago

The anti-circumvention clause is being abused for some years now, it’s disgusting.

psud, 5 months ago

This is the sort of case that can fix it

lolcatnip, 5 months ago

Is it abuse, or is it working exactly as intended?

KeenFlame, 5 months ago

They mean it’s abusive in nature I guess

Aceticon, 5 months ago

So which anti-circumvention clause do you mean?

Remember, US law doesn’t apply in Europe and as much as I know there is nothing like that in the EU.

Syo, 5 months ago

Steam engine breaks, you can fix it.

Steam engine with digital circuit breaks, you're a hacker, a pirate. DRM was a mistake.

Player2, 5 months ago

But how else could companies make more money off of something you already paid for? Will someone think of the shareholders‽

Aceticon, 5 months ago

If you’re allowed to do any maintenance you want on the physical components of something you own, then you should be allowed to do any maintenance you want on the software components of something you own.

It’s not hacking (in the sense of “unauthorized intrusion”) if you own it or have authorization to do it from the owner of it.

KeenFlame, 5 months ago

Spewing bs about how they can’t guarantee the safety and other outrageous shit pouring out their mouths as they provide clearly practiced lawyerspeak to squeeze money from public service into their owners pockets which will then be invested probably in war and killing children for profit.

But let’s discuss ethics and shit! Fuck faces need to be brought to moral justice for the evil they commit every day of their brainwashed miserable hateful lives where they pretend to not harm people because they don’t do it themselves but via money grabbing schemes. One day all of this shit will seem to be as stupid as hitting kids are these days

FangedWyvern42, 5 months ago

Most ethical vehicle manufacturer:

(This is a joke)

Ruscal, 5 months ago

badcyber.com/dieselgate-but-for-trains-some-heavy… link for very detailed description of this story, highly recommend the read!

SCB, 5 months ago (edited 5 months ago)

Thank you! Came here to ask if anyone had one source with the whole story. This keeps trickling out as it evolves.

Edit: this story is considerably weirder than I expected, and I was already expecting some weird shit.

Begs the question: How is any of this legal?

Ruscal, 5 months ago

I would assume it is not, UE has some strict rules about fair competition, but the problem is to prove that in the court. Newag is arguing that the hacked and reverse engineered code is not the code they have. Probably in the meantime they run the cleaning protocol in the company…
But company’s public image will hopefully suffer from the story, maybe at least they loose in eyes of potential buyers.

btr_fan87, 5 months ago

Artificially bricked?! Who the hell keeps giving Viagra to trains? Evil bastards.

xytaruka, 5 months ago

Sir Toppam Hat

RememberTheApollo_, 5 months ago

If they required the trains to be serviced by manufacturer they should have written it into a mandatory service contract at time of sales.