Mad props to the one employee at SPS who was smart enough to realize something weird was going on, and smart enough to realize they couldn't tackle it alone.
@@xanowich And for 10 days in November and then 11 days in December, so 21 days in a year in total. Notice that the condition was "equal or greater than".
I'm personally okay with the fact that Netflix doesn't make shows about the IEC 61131-3 standard. That being said, I also haven't watched anything on Netflix at all in the past year.
Such undocumented blocking functions can have most serious consequences in the event of a national emergency, whether due to natural disasters or war. Therefore, criminal law should be applied accordingly, taking full advantage of the appropriate penalty framework.
On top of that, what happens if the company goes out of business? Sure, someone else will buy the assets of the company, but while the new owners are getting caught up on the code do all of the trains everywhere in the world stop working in the meantime?
Quite simply, the company should be forced to dissolve and close and anyone that had anything to do with this should be jailed. This is the only way to deter companies from doing this malpractice.
@@JohnDoe-bd5sz Silly, knee-jerk reaction. It's not the company who is at fault but a few people, some of them at the top. If you were to dissolve the company, what would happen to hundreds, if not thousands, of innocent workers? This kind of knee-jerk bullshit, headline style reaction is just as bad. Grow up.
@@roo72 The problem is, this will just end up like the DieselGate scandal, the top people will claim this was just some rogue employee or employees that did this, and the top had no idea. In the end some engineer or a few of them and some mid level manager, will get fired and possibly jailed and the ones in the top, that did the actual ordering of these criminal practices will go free, and the company will just continue to do this. Next iteration will be even more nefarious and obfuscated / encrypted. The only way to stop these people is to dissolve the company or atleast force the company to get a complete new leadership, and subject to some form of government oversight, where they will be forced to pay the government to supply them with some check-engineers that will have to sign off on anything they do with the software in the future.
Amazing work. You guys are heros for publicising this and presenting it so clearly for everyone to see. I hope that Newag loses a lot of business for this. I'd like to see a requirement to provide source code from public transits infrastructure manufacturers in the future, because I strongly suspect that Newag is not the only company doing anti-competitive things like this in their code.
Nice to see you here. It's pretty crazy that you can own the train but not what makes it tick. Even if there was nothing nefarious going on, what if the company went out of business? All that code could potentially be gone forever and there would be no way to fix any bugs that crop up in the future. Source code and toolchains should be provided so that the providers can build from source and directly upload firmware. IP rights shouldn't be able to dictate whether a train can turn on or not.
That was my thought as well, considering the behaviour of large firms of other commercial vehicles (John Deere). More concerning to me is the mystery undocumented internet-connected box.
This isn't really right to repair. Newag didn't sell the locomotives with a requirement for themselves to do the maintenance. This is straight up fraud.
@@windwalker5765 but clearly if it's designed to only be repairable at a manufacturer's shop it's meant to give the impression that external maintenance isn't sufficient which would suppress external maintenance for no valid reason Restricting right to repair and being fraud aren't mutually exclusive
This is exactly what right to repair means, having access to ALL of the relevant documentation for the things you own. The lockout code was hidden from the owners of the trains and it screwed them over. @@windwalker5765
This is deliberately designed to disable functions of critical to infrastructure piece of equipment in such a way to make it appear a 3rd party repair service caused damage. This would fall under deceptive buisness practices and possibly under laws regarding interference with commerce and public transportation with malicious intent. In the US doing this would be prosecuted under several serious laws under the "patriot" act.
@@iotkualt i would argue that intentionally restricting right to repair is always fraud, but sadly thats not law as it stands now in most countries... but yeah newag clearly went above and beyond when it comes to that kind of sabotage somehow i get the feeling that if you want to screw over customers by restricting their ability to repair their purchases... maybe dont do it to the governments of countries... they kinda have just a little bit more power and leverage to fight back
These updates done by Newag days before the maintenance sound like a clear case of computer sabotage. That's not only "doing updates" without re-certification, that's doing updates with malicious intent also known as "installing malware"
"These updates done by Newag days before the maintenance sound like a clear case of computer sabotage." - I think that they don't have any strong evidence for that (without somebody from Newag actually snitching on their managers, which would be nice), that's why they didn't mention this explicitly in the presentation either. They would've had to do firmware dumps before the Newag guys came, but they probably didn't.
@@CoolKoonThey said in the video that they have a lot of differnt version of the code and they also said that they extracted the logs from the PLC which are showing the history of updates to the firmware.
Awesome presentation. Newag should not just get fined. This warrants an investigation of the company internals and the people responsible for such malpractice should pay with some of their time. Community service or some jail time. Dissolving such companies would surely be a deterrent for others to follow suit. Edit: All software and hardware schematics used by the government should be fully open source. Right to repair is a must. Software locked hardware like heating in some cars is ridiculous. If it is cheaper to build it into every car you shouldn't be allowed to charge extra for it. Also tangential to this I believe copyright is too long. 70 years? Should be more like 12 years. If you don't innovate in 12 years your company should go under anyways.
Last time a scandal like this occurred was the Volkswagen emissions scandal and -excluding the fines- the first person penalized was one of the engineers. None of the managers were penalized. Though I 100% agree that whoever responsible for the decisions should be held accountable but I am a bit pessimistic on this too. I sincerely hope the Polish and EU institutions prove me wrong this time.
Newag responded by filing suit against the team that uncovered this shit. Imagine my shock. This will end with prison time for Newag highier ups. If this was done to some machine for private entity - i wouldn't hold my breath, but that was actually equipment for goverment co-owned entity. Those people are fucked and they know it.
Incredible work. Those PLC binaries are an absolute nightmare to work with and I generally tell clients that any useful black-box assessment is going to cost them way more than they would ever want to pay. Getting this quality and depth of reverse engineering done on such a challenging platform within such a short space of time is extraordinarily impressive. The fact that you were doing this to defeat predatory DRM is the icing on the cake. Huge props to all of you.
BTW i'm not familiar with selectron plc, but siemens, omron, moeller, rexroth both allows you to upload a plc program from the plc (yeah, the logic is different there, downloading means you transfer program from pc to plc, uploading means the opposite. Upload and download isn't about the way the files goes, but the network hierarchy it goes trough. In hierarchy the internet is above your machine, and you load up to it if you send data, load down when you receive; but machines like a mouse or a PLC is below your computer, so sending data is download). Its just strange...
In the US, this would never be able to happen. It'd be questionable in most of Europe as well. Former Soviet block countries and Nordic countries tend to have a lot more "get shit done" attitudes.
Actually they migjt had some doubt that something fishy was going on. Giving up would have been accepting to give away some business to others without having a clue of the reason... Still the guy at WPS that signed to get hackers on board should get a hefty bonus 🎉
"White hacking" isn't something unheard of. Hiring a security company for an audit (they both try to hack you and analyze the code for possible security issues) is not unheard of. Tho usually companies pay to have themselves and their own products audited. Here it's different, but not as much, they hired the hackers to find a solution how to fix the train, because they couldn't do it themselves. Kinda just outsourcing. I was not chocked at all that they decided to hire someone to investigate the issues.
As a Pole I'm glad this is getting publicity. It's in the good interest of my country and the whole world to show manufacturers that these kinds of practices will sooner or later catch up with them and tarnish their good name. There are ethical ways of getting on top of your competition, for example being a good effin company providing good services, not being frauds. It's really sad that the current state of our world is such where companies focus on making profits first and if there's any time left then perhaps prividing a good service/product second. But profit oriented people are too short sighted to see that what guarantees long term profit is trust. Trust that your consumers have in you that keeps them coming back to you. I know these guys were contracted by the competition to do this so it is not like they did it purely out of good will, but you can see that they are passionate about this and wanted to make the world aware of such fraud upon learning about it while working for SPS. They are good people.
Part of the problem is that nowadays, companies are often owned temporarily by private equity firms that are only interested in very short-term profits, sometimes even keep changing hands between several private equity firms. Of course even when that's not the case, there is still the problem of management getting bonuses based on short-term profits.
I think one reason for that is, that most penalties are not painful enough so the financial risk is not large enough to prevent this behavior. Imagine making 100 million profit in 10 years and then having to pay 10 million penalty ... that's still 90 million profit.
Just adding onto this thought. If one of these trains already reached End of Life (or ran enough to need a full overhaul) then i would guess that the software is far beyond testing fase. I can understand if delivery schedule was a bit too quick for full testing of all functionalities that during delivery of the first trains the software was stil incomplete. But so far into the life of these trains and with normal maintenance. These trains all need to be running the same software. Or maybe the last two versions or something. These are all the same series of trains. Should be the same hardware.
I think I know what happened here. I am not familiar with this flavor of PLC (I do Allen-Bradley), but I imagine all of the PLCs are programmed from the IDE instead of a binary file. As such, it would be recompiled every time they download the code to the PLC, and any small change would be reflected in the binary files. Such small changes could include serial numbers (hard-coded as they basically change a constant in the code) or adding the new kill checks. If the PLC holds a copy of the source code even changes in comments would stand out in a diff. I am sure they would have checked for a local copy of the source code first (stored as a database file) even though they haven't mentioned it. That said, the method they used to pull the machine code might not have been able to pull the database file.
Oh, that is just PLC-Programming and mechanical engineering. Everything is just "unique" - but those professional PLC-Programers hold it together, with ducttape and string..
Only to discover at the end of the maintenance contract that you bought crappy code, and even OK'd it. Because well ... why even pay some nerd to do unimportant checks before you sign the deal of the century?
@@otm646No, you'll get one bid by the one company that noticed they can charge 10 times the equipment's worth if they are the only bidder. And the next time everyone's in again because they want that nice 91% profit margin, too. And it will work even better when all train operators insist on getting the code. Because any company not bidding will also not sell any trains.
The railway operators are more like defense apparatus than individual car buyers. They already pay a lot, they don't have much of audience competition, they are considered strategic state assets, and they have comparatively easy access to legislature
It was a good question at the end: Do they sell in other countries? Yes It'll be interesting to see this become a multi-national scandal outside Poland as well, the EU will need to get involved, at least assuming only EU... It's like the train version of vw's diesel emissions "hacks".
Newag's international deliveries outside Poland were limited, I recall only two contracts in Italy for just a few units. Newag has no maintenance business there, so no reason for cheating. The bigger contract in Bulgaria was for the manufacturing of Siemens' metro trains, and a French company just ordered Newag's locomotives last month.
@@Maciek888 Thank you for that! I'd expect anyone having dealing with them now or in the future will question their ethics for any consideration should they apply for new bids after this. Oh look, it's "those guys".
Actually it is worse than the diesel hack... that was meant to hide pollution, but this is forced service on otherwise functional units, and trains are aint cheap...
These "foreign" Newag train units could be a good evidence in the trail. I'm not sure, but I suppose that those Italian trains made by Newag will not have such malware. Because they were just sold without the maintaining packet after the warranty period. Operating area of those Italian trains is far away from Newag workshop in Poland. I don't know where actually those trains are serviced but I assume that somewhere in Italy and not by the Newag stuff. Because it is not worth transporting them thousands kilometers from Italy to Nowy Sącz only for service. The trick is that those Italian trains have also GPS and GSM devices and nobody knows if it is possible do implement malware remotely. The trick is also that these Italian operators which had owned Newag trains, refused further purchases from Newag although they had such option. They had a quarrel with Newag when some of those trains just stopped, needed servicing and Newag didn't give approval of fixing the units without its participation. The narrow gauge Newag trains in Sicily were out of service for 16 months. And Italians didn't agree for Newag "proposal". Sicilian Newag units have been finally serviced by Spaniards (CAF). And Sicilian train operator decided not to buy any further Newag trains.
That's mean... they made it look like parking the train for a while made the secondary compressor go bad... Finding the geo fencing areas feels a bit like those Diesel exhaust controller speed-distance regions.
"Finding the geo fencing areas feels a bit like those Diesel exhaust controller speed-distance regions" - Yeah, but this is even worse, because it's a clear-cut anti-competitive behavior. There's no way they can explain this away in any way possible.
This is the exact same reason why a lot of icecream machines are broken at Mc Donald's in america. While the main Mc Donald's company has secret agreements with the icecream machine manufacturer, it is a pain in the ass for the actual franchise owners to service their icecream machines, because they frequently stop working and basically every other step in the manual for the Mc Donald's employees states "call certified repair technician". Over 40% of the revenue of the icecream manufacturer comes from "servicing" for Mc Donald's and there are secret codes to unlock the machines.
"Over 40% of the revenue of the icecream manufacturer comes from "servicing" for Mc Donald's and there are secret codes to unlock the machines." - That's "laissez-faire" America for you right there: cheats, frauds and crooks having a blast. In literally EVERY country in Europe they'd be investigated and (most importantly) prosecuted for fraud.
@@LasOrveloz "They do this with their farm equipment." - No, IIRC their method is much more sophisticated: they use components pairing and thus their machines "only" break if you attempt to swap those parts out yourself. This was much more sinister because those Polish trains literally broke for no apparent reason (i.e. a real fault).
How shameful that a company does this with public transportation equipment. Absolutely embarrassing and unacceptable. Thank you for the very interesting and eye-opening talk.
History has proven across many centuries that privatizing any element or fully of a social service from trains to boats, to electric and water generally ends up in poor quality predatory services. The world over needs to outright ban privatized social structures which are necessary for life. We shouldn't be forced to drive cars, we shouldn't be lorded over in locked trains, or at the whims of greedy shareholders because they want to reach quarterly goals by skimping on maintenance.
As a Automation Engineer who works in a maintenance team and manufacturing engineering in one of Polish, local automotive parts factory I assume that it is not a coincidence, that Newag choose such an exotic equipment to use in their trains. It prevents that somebody from outside service could easily do reverse enginnering of the PLC software. Or maybe this is some kind of guidelines when choosing the specific devices to be used in the trains industry, but I don`t think so. If they for example used an Siemens PLC`s and other peripherals it could be easier to find out what is the case, because we could just upload the program from the controller memory to the TIA Portal software and learn how the program works. Siemens is providing enough documentation for understanding how to program their PLC`s. The same with other manufacturers - Beckhoff, Mitsubishi, Omron...they are very common and easy to program. I know, there could be the possibility that the program blocks could be locked / secured with the password and make them unable to open in the editor. But as I know it all depends how the agreement between the customer and buyer is concluded, sometimes machine suppliers don`t want to give me access to the PLC software but normally it should be shared for example if I want to find out online why the machine is not working as it should. Sometimes during repair some of machines in our plant I have also discovered bad practices of the programmers / machine integrators. Example - when we replaced one of the components of the machine it would not operate correctly because there was a device serial number mismatch (HMI panel). There was a function written in the PLC code which compared the serial number stored in the data block, and if it`s not the same then it wouln`t be possible to switch the machine in "automatic mode". Redford, q3k ,MrTick - good job, my congrats!
I'd rather think that this is because those exotic PLCs are way cheaper than Siemens ones. Most likely it's the same as with Asian companies manufacturing cheap electronics. Nowadays, they often choose microcontrollers from Holtek or Padauk instead of more common ones like AVR, PIC, ARM-Cortex-M0 and the like in order to cut costs. Servicability or even availability of debug and test equipment aren't really important because it's cheaper to replace a faulty PLC instead of repairing it in the field.
@@vbinsiderdefinately that was not the case. Different in price is not that significant unless you go for big screen resolution HMI panels. They probably have chosen manufacturer who is not programmed easily but consider parts availability or running out of business by the vendor.
Well, i do automation too, but in some cases you need a check - as is said in video - different firmwares in same device can behave differently. If i will be the one performing this behaviour, i would also lock the code - where is the point "locking" the serviceability of the device, to checks like this, when i provide unlocked code with the device and everybody with few hours in code can bypass the function?
Regarding hard coded serial number, it is highly possible that the component you were replacing was crucial to safety of the plant. Usually it is easy to replace the serial number but needs proper credentials for it (safety).
"It prevents that somebody from outside service could easily do reverse enginnering of the PLC software." - Heh, the fact that Ghidra already had support for this architecture means that this equipment isn't nearly as rare as Newag guys thought it would be.... "If they for example used an Siemens PLC`s and other peripherals" - I have a feeling that the PLC they've chosen was significantly cheaper than the Siemens stuff....
Believe it or not, straight to jail. This whole thing is so insidious, it's crazy. I've seen the writeup a few weeks ago and was shocked. Regulators and prosecutors really need to get involved with this thing. Great talk and I hope we will see some massive changes to make sure no other manufacturer ever tries this thing again.
and indeed, that's a possibility since newag is now under criminal investigation under two articles of the Polish penal code (art 269 sabotage if critical infrastructure, from 6 months to 8 years prison, and art 286 unfavourable handling of other party's property i.e. the client's), as mentioned in other comment.
The geofencing enforced shutdown and shutdown based on date code is 100% egregious abuse. I hope the city gets all their money back for these trains. Also the company should be investigated to see if this is internal practice to add this malware. If so, programmers and managers should go to jail.
1. The trains are not being used by a single city, they're being used by various operators all over Poland, mostly owned by regional authorities (voivodships, kind-of equivalent to US states or German lands). Some have also been exported to Italy and they are also supplying trains for Bulgarian metro, but given that Newag doesn't do maintenance there they don't really have an incentive to cheat, so this scheme is limited to Poland (probably...hopefully) 2. They are being investigated by the prosecution for fraud and industrial sabotage.
I don't think the programmers should necessarily go to jail, maybe a hefty fine if they were paid off/bribed, but it's almost certain that they were given an ultimatum of some kind by their boss. Decisions like this are absolutely made by upper management, not the programmers.
@@OutbackCatgirl "I don't think the programmers should necessarily go to jail" - The programmers would've had the right to refuse doing work that's clearly illegal, so they probably won't escape a sentence either (although their sentence will probably be lighter). The main person to be prosecuted is the manager (company owner?) who was the mastermind behind this..
@@pietiebrein The law normally recognises that employees are subject to coercion because most people aren't financially secure enough to just quit their job. If your boss tells you to go break somebody's kneecaps, "I was just following orders" isn't going to be a defence, because breaking kneecaps is inherently illegal. But if your boss tells you to write some code to do xyz, you're generally not held personally liable, because writing code isn't illegal _per se._
Has been for 10+ years. In companies people responsible for procurement/ guarantee/ repair aren't paying from their own pocket and often got 0 consequences if the company suffers long-term losses because of their dumb decisions. And higher-ups have no clue what they are looking at (or don't care). "emergency repair: replacement of dingle-bob 32.3STFU v2 - 15.000$"
It's everywhere. John Deere is famous for this kind of crap. I work for a YT channel that has fun servicing various electronic devices. A while ago we had a circular saw from Milwaukee that wouldn't start. After some digging it turned out the microprocessor that controls the motor was busted. Out of curiosity we checked if replacing the CPU would help, but what we learned is that the firmware on the CPU is custom and locked. We would have to unlock the CPU to read the custom ROM, but the only way to do this is to type in a 16-character password, and if you type in the wrong password ONCE, the entire chip is instantly wiped clean. How insane is that? A freaking saw that if you try and read the ROM on a chip in order to fix it, it has a self-destruct function! Like, I sort of get it, you have to protect trade secrets, but come on, is this some kind of James Bond reference I'm not getting? XD
@@B3RyL On the other hand, this proved to be very handy when Russians stole dozens of Ukraine John Deere tractors and the factory disabled them remotely. It has pros and cons, so I'd say as long as the company is transparent about it ("We can disable stuff, we won't tell you how exactly because trade secret, but we can do it, turn to us with repairs of PC stuff"), then it's okay to me. But the train example here is basically intentionally sabotaging competing repair shops, which sounds insane.
After the case was revealed, Janusz Cieszyński (former Minister of Digital Affairs) admitted that the matter was known to the Council of Ministers and the special services since May 2023, when it was presented at the cybersecurity committee. Earlier, since 2022, the case was known to UOKiK and UTK. In October 2023, the Internal Security Agency filed a notification to the prosecutor's office in Nowy Sącz "regarding software for Impuls trains". In December, the regional prosecutor's office in Krakow took over the investigation and is conducting a case on the suspicion of committing crimes under Article 269 §1 and Article 286 §1 of the Penal Code.
Googled and translated these articles of Penal Code: Art. 269 § 1. Whoever destroys, damages, deletes or changes IT data of particular importance for the country's defense, security in communications, the functioning of government administration, another state body or state institution or local government, or disrupts or prevents the automatic processing, collection or transmission of such data, is punishable by imprisonment from 6 months to 8 years. [...] Art. 286 § 1. Whoever, in order to obtain a financial advantage, causes another person to unfavorably dispose of his or her own or someone else's property by misleading him or her or by taking advantage of an error or inability to properly understand the action undertaken, shall be subject to the penalty of imprisonment from 6 months to 8 years.
@@seedz5132 Art. 286. [Fraud] § 1. Whoever, with the aim of obtaining financial gain, leads another person to a disadvantageous disposition of their own or someone else's property by deceiving them or exploiting a mistake or inability to properly understand the undertaken action, is subject to imprisonment from 6 months to 8 years. § 2. The same penalty applies to anyone who demands financial gain in exchange for returning property unlawfully taken. § 3. In less serious cases, the perpetrator is subject to a fine, restriction of liberty, or imprisonment for up to 2 years. § 4. If the act described in §§ 1-3 is committed against a close relative, prosecution occurs upon the victim's request. Art. 269.[ Damage to Computer Data ] § 1. Whoever destroys, damages, deletes, or alters computer data of particular importance to national defense, communication security, government administration functioning, other state bodies or state institutions, or local government, or disrupts or prevents the automatic processing, collection, or transmission of such data, is subject to imprisonment from 6 months to 8 years. § 2. The same penalty applies to anyone who commits the act described in § 1, by destroying or exchanging a computer data carrier or destroying or damaging a device used for the automatic processing, collection, or transmission of computer data.
Many modern PLCs can be programmed in C or C++ but not all manufacturers document the hardware to that level. Siemens is an example of a company which does officially support it- and their newer PLCs actually run Linux.
As far as I know, only the "ODK" PLCs from Siemens supports this . I think there is a new way with the Xcelerator or something like this but this is only in a limited testing field. But a normal 1200 or 1500 PLC can not be programmed with C or C++ in TIA Portal. The only possible languages are FBD, LADDER, AWL, ST (SCL), Graph and CEM (not all languages are supported by the 1200 series).
Tractors, trains, cars, computers, phones, and other things of which we thought they were utilities. But with the "magic" of DRM you can extract rent from the users, so that buying is not buying but renting. You will own nothing and you will be happy.
mają prawo ale źle ze tak z tym biegają po konferencjach. mnostwo producentow stosuje takie praktyki, niemcy juz zapomnieli o aferze wolkswagena? uczepili sie akurat polskiej firmy. produkcja pociągow to jedna z nielicznych branz gdzie Polska robi cokolwiek pod wlasną marką. gdzie i tak patrzac np. na lokomotywy to raptem 1/3 nowych lokomotyw to polskie produkcje, a reszta to siemens i bombardier. newag bedzie mial narobione gnoju no i pieknie, reszte pociagow kupimy od niemiec i bedzie pieknie. tak jak unia chciala.
@@Orzeszekk a co, mają siedzieć cicho i nie odzywać się przez jakiś źle pojmowany patriotyzm? To nie ich wina, że Newag sra do własnego gniazda. Tutaj żadnych teorii spiskowych nie trzeba dorabiać.
@@Orzeszekk Po pierwsze - nie doszukuj się obcych działań tam, gdzie ich nie ma lub są mało prawdopodobne. Newag mógł nie kombinować, a to robił i nadal robi. To jest decyzja podjęta wyłącznie przez nich. Więc nie, nikt się tu nikogo nie uczepił. Pilnują, aby ten producent dotrzymał swojej umowy. Przypominam, że w drodze przetargu ten zobowiązał się nie tylko do dostarczenia EZTów, ale również CAŁOŚCI dokumentacji i oprogramowania niezbędnego do wykonania przeglądów P3 lub P4 (zależnie od operatora). Czego jak widać nie zrobił. Oraz żeby ten rzekomy producent działał zgodnie z prawem, czego jak się wydaje, również nie robi. Mówisz, że inni producenci robią tak samo. To wskaż mi kiedy np. Siemens, Fiat, Alstom czy nawet PESA albo Fablok miały takie afery oraz, jeżeli były, jaka była ich reakcja, postępowanie i następstwa prawno-sądowe... Ale rozumiem, że skoro pewna partia (czy raczej "Partia") mówi, że wszystkiemu są winni Niemcy lub Unia, więc tak musi być... Tyle że nie. Tak nie jest. Pomijając kwestie geopolityki i tego, jak mało same Niemcy czy nawet UE znaczą na globalnej arenie międzynarodowej, VAG też złapano za ręce i też musiał naprawiać szkody. W USA czy Kanadzie odkupywali kilkuletnie, używane auta po pełnych lub blisko pełnych cen zakupu pojazdów! A masa problemów jeszcze przed nimi bo z tego co wiem w tle wciąż majaczy widmo cofnięcia europejskiej homologacji dla pojazdów z problematycznymi jednostkami napędowymi. Notabene analogiczna sytuacja jest tutaj bo UTK teoretycznie może cofnąć homologacje Impulsów ze zmienionym oprogramowaniem, jako że to nie było częścią pojazdu w momencie certyfikowania. To by była heca, jakby się okazało, że Newag musi przyjąć używane przez kilka lat EZTy, zwracając koszty przetargów... Jest to tylko i wyłącznie ich (Newagu) wina, a nie jakichkolwiek "niemców", jak to mówisz. Po drugie - mamy jeszcze Pesę czy Fablok, produkcja Alstomu czy Siemensa również odbywa się w Polsce. Czyli produkt jest polski, podatki fabryki rozliczane są w Polsce, podobnie jak podatki pracowników tej fabryki. Mamy też całą masę podwykonawców, którzy produkują podzespoły na potrzeby kolei, w tym również tych zagranicznych producentów. Oraz kilka innych i mniejszych zakładów zdolnych do produkcji taboru kolejowego. Ale tego w pewnej stacji telewizyjnej nie powiedzieli, prawda? Tak samo, jak tego, że części tych fabryk, gdyby nie zagraniczne inwestycje, w ogóle by nie było. Bo to przeczy strasznie głupiej, prostackiej i wypranej ze wszelkich faktów narracji. Ale spoko, jesteśmy narodem, który w jednym zdaniu potrafi się wywyższać nad innymi, tylko po to, aby 3 słowa później pokazać jak im zazdroszczą. Co zresztą uczyniłeś w swoim komentarzu. Bo przecież produkcja dla innych to hańba! W końcu takie Chiny wcale nie stały się, a Indie nie są na dobrej drodze do zostania globalną potęgą gospodarczą i militarną właśnie dzięki produkcji dla innych...
@@Orzeszekk i bardzo kurwa dobrze, pretensje miej do janusza który sabotuje strategiczną gałąź własnego państwa dla paru szekli a nie do tego kto to ujawnił, co to kurwa za logika xD
I doubt firmware will prevent the thing from self destructing - these days they break due to lack of structural integrity and the cheapest way possible of designing/building those things.
Excellent work even with that tight deadline! That geo-fencing is the real smoking gun for me showing they're not legitimate locks and without a doubt an anti-competitive measure along with the timeline of the updates. I hope Newag gets some well deserved fines (and maybe criminal charges) from the Polish government but also be forced to disclosure the PLC source code to customers, the courts and maybe another future talk's slide deck.
Three smoking guns -- geofencing, _predicted_ failures on _predicted_ days, and a matched check condition on two systems (the HMI and PLC both looking at >=21 days of service, then movement, but neither of them sharing a codebase)
Great work of the hacking team! This is why Right to Repair is so fundamentally important. All kinds of equipment needs to be serviced, from consumer, to medical, industry, transportation and military.
It reminds me of a story from a train mechanic I overheard while travelling by train once. He said that while adjusting the valves he would make one other valve little loose, so that it causes a problem in the future. He noted which valve, which gave him an advantage for the job. He would truthfully declare that this would take 10 minutes and he fixed the valve and made another loose. A person without the knowledge about which valve was loose, would need to check all 12 of them and clock 120 minutes.
When I saw a title I assumed this will be just some hacking of some train systems just as an exploration, but wow, that is a real DRM, and a lot of malice discovered. As a Polish living in Switzerland, I really hope the manufacturer will see the consequences of their actions. Geofencing and date locks, totally illegal.
This presentation should be set as mandatory educational material for all legal and purchasing departments. Well done!! And thanks for making your findings public!
The Selectron CPU 83x Series processor is based on the industrial 68000 version, 84x is based on ARM processors. The PLC log of these machines can be pulled from the unit with a basically free tool. In that log is to see when the software was uploaded and what was the windows user name, the timestamp can be wrong because the rtc is running only limited time if power was lost and can also be altered with the same tool. But then again this change of the rtc time will show up in the plc log report.
This is important, not just for Poland but it is a clear precedent that all countries, counties, towns, cities, municipalities need to look into this side of things. Trusting private companies to run our stuff is a risk and they have to be fully transparent about EVERYTHING. At worst, these can be used as part of cyberwarfare, sabotage at a distance.
And that mystery box (Prob a RPi and serial interface bus) linking the PIS mobile 4G coms to the train data bus would be the exact vehicle to do it via...
Już zapomniałam o tej sprawie i nie spodziewałam się znaleźć konferencji na ten temat, dobrze posłuchać w detalach z pierwszej ręki, co się tak na prawdę stało. Dobra robota chłopaki 😊
This is such an amazing talk, I can't believe how difficult it must have been to reverse engineer all that code to find these awful anti-competitive blocks, well done to the team!
About the re-certification topic: If newag partitioned their code into safety-relevant and non-safety-relevant parts, they might be allowed to make changes to non-safety-relevant parts without requiring any certification.
As the train's manufacturer they get to decide if it's a significant change to code. For example, "does it change the train's response to driver inputs?", like a change to brake controller behaviour, electrical braking only in brake steps 1 & 2, instead of blended (friction & electrical) braking beginning in step 2. That would require recertification, obviously.
@@capnskiddies surely any change to the ability to move the train affects safety, if there is a fire in the service yard and you need to move stock to prevent it burning then it being disabled for anti-competitive business reasons is safety critical. Also, disabling the train does change the "response to driver inputs".
Reading about the story and timing of things, that was crazy! Any time I saw these new trains on Polish stations, I expected them to be of decent quality. Well, the producer had other priorities. Cause programming malfunctions into equipment is not quality. Huge respect guys for solving this insane puzzle.
Very interesting, informative and entertaining! I wonder how many other big companies might be doing something similar to keep service income high and probably as a side effect also discredit competitors in the repair market. This is insane. The amount of different illegitimate locking mechanisms is impressive and seems like there was either criminal intent to make every failure look a bit different, so no one would get suspicious if all the trains had the same problem on the same day or they were incapable of even installing their own significantly altered and malicious code properly on the trains. I really wouldn't want to imagine what could happen if one of the locks misfired at the wrong moment and lead to a serious accident.
Actually some of the “locking” mechanism just normal security measures. When there is not at least one functioning compressor left it’s a good thing that the train will not allowed to move by its own, but after that is fixed the locking mechanism must release itself or the maintenance should be able to reset the lock. If that is by a tool or the HMI or a “cheat” code doesn’t really matter. What is concerning is that they say the software version was different from train to train. Because that should not be the case. After production and development, validation of all the requirements the software will be “frozen” and trains running in Service have all the same software version on that fleet. But don’t mistake that with a memory dump from train CPU memory that was in service, there of course will be a lot of data stored that divides between different trains. Like the train number itself and various counters, or for example all the wheel diameters. Therefore you need look carefully what is code and what is variable data.
@@jm3779 I would expect any normal security measures to be documented and known to all relevant parties.. So if secondary compressors don't work, the HMI should at least say train is not ready to go, call a maintenance; to the maintenance worker the compressor is not working, check it; all of that documented in a thorough "what to do when...". The abnormal security measures, as presented in the video: HMI says everything is ok, maintenance says everything looks ok, and computer experts say the CPU decided to power down the inverters because the train is out of warranty.
Excellent work folks. Not just on the reverse engineering, but also on the presentation. Zero bullcrap/fluff, straight to the point. The comparison train sure got famous. "This is *not* how you compare dates." Indeed, I wonder what effin connections you have to have to get hired as a coder while producing such an atrocity. I sure hope Newag gets punished way beyond a considerable fine. This is not just a monopolist stunt. This shit is actually dangerous and eerie (nationwide emergency transport case).
Lovely to have this talk, it's not long since I heard of the article. I wonder if this allows to fight corruption better, but fingers crossed. Pretty hilarious case, big shoutouts to these guys doing a massive job.
i'm glad this went public, companies should not be allowed to do this, especially not when it involves crucial infrastructure. this was an interesting presentation and i'm glad the had the balls to speak up about it despite companies being threatening with lawsuits.
Świetna robota, świetna prezentacja! Mnie zawsze zastanawia w ilu urządzeniach z mikrokontrolerem które mnie otaczają są takie kwiatki (i do ilu mogą zostać dodane aktualizacją :) Pozdrowienia z Polski!
I never thought that the world of train servicing could be so captivating. The way you delved into the technical intricacies of the train control system and the reverse engineering process was both fascinating and accessible, even for someone with a non-technical background like mine
The fact that these trains are certified to run on a public rail system with a set of undisclosed and evidently poorly written lock functions is to me the most terrifiyng part of this interesting presentation.
You have to hand it to them: they actually successfully found a way to implement very important business logic into mundane operation controllers. Hats off.
Awesome seeing how experts doing a really good job, make the world better and also be able to communicate the results in a well understandable form! :) Mockery and derision for the responsible department on NEWAG, it is a shame to throw away personal engineering principles for this absurd attempt to make money :(
Idk abt trains and only have very superficial IT knowledge, but I love these types of talks connected to real world problems/conspiracies, e.g the xerox stuff and other analyses
One of the presenters seemed a little concerned that the process could “get political”, but I think that is the best outcome for this-regulation and legal repercussions are the right way to deal with the company that did this and to prevent it from happening in the future. (I am still sympathetic, though-it is easier and more fun to dig into code and play with hardware than it is to talk to lawyers and legislators, especially if the hardware is literal trains!)
If confirmed, all of those stuff is already illegal in Poland. There's nothing getting political can make better. At minimum it will hamper investigation at most just target the hackers due to retirees on the parliament seat not understanding digital technology.
It could be political in a way that the company is producing tangible industrial goods, paying taxes and offering jobs and making it suffer could have a negative political effect.
@@acidumirae Well every company does those things, including the bad ones. No, he's worried because until very recently, Poland had a corrupt far right government with close ties to the bad company. The government lost the election, though, so we'll see what happens next.
Great work guys! This if with dates was hilarious. I will use this date comparison example in my lectures - mentioning source of course - it will only add spice to it. As a side note - I'm already sorry for this poor trainee who wrote || !tested this code.
Absolutely awesome story. The reputational damage to Newag is so much huge. They will have to do something outstanding to wash away that shame. But how something like this can be prevented in future? Should it end-up with a law requirement to supply a source code together with an update of firmware? Code-review by customers or certifier before code gets into the train?
The sad thing is that such regulation will likely only do more harm than good. What if the manufacturer just send you obfuscated code? A code that only they can understand is not so different from a black box binary. Even worse with advances in NLP, they can obfuscate the code in a way that looks like normal code to untrained eyes, but breaks in mysterious ways when you attempt to modify it. Then what? Make regulations requiring explanations to every line of code? I totally get the good intention, but the reality is always complicated
Mad props to the one employee at SPS who was smart enough to realize something weird was going on, and smart enough to realize they couldn't tackle it alone.
I can't believe they just googled 'best polish hackers' and found someone who could do it
"so they didn't have any idea what to do. So they Googled Polish hackers and found us" is one of the best parts of the talk lol
@@aspzx Ikr? Reality is better than memes sometimes
@@iaial0 In such cases, the reality usually _becomes_ a meme, as I suspect this will
@@iaial0 the very neat thing about reality is that unlike fiction , it doesn't has to make sense to sound plausible , since is reality lol
"International compressor failure day" this is great! LMAO
Days* as it happens twice a year:D
@@xanowich And for 10 days in November and then 11 days in December, so 21 days in a year in total. Notice that the condition was "equal or greater than".
Sadly "international" is apt here, since newag does have international buyers (angry face), although probably not for long.
57:15 for the skippers. Don't skip though.
@@Piotrek7654321 What were the dates again?
The 61-minute-session was more exciting than anything I've watched on Netflix in 2023.
Yet another instance of indies outperforming the AAA's😁
I'm personally okay with the fact that Netflix doesn't make shows about the IEC 61131-3 standard. That being said, I also haven't watched anything on Netflix at all in the past year.
I would have asked them which Hollywood star they want for each of their roles in the inevitable TV drama!
If you liked this, the post office stuff on ITV is pretty gripping.
100%
Such undocumented blocking functions can have most serious consequences in the event of a national emergency, whether due to natural disasters or war. Therefore, criminal law should be applied accordingly, taking full advantage of the appropriate penalty framework.
On top of that, what happens if the company goes out of business? Sure, someone else will buy the assets of the company, but while the new owners are getting caught up on the code do all of the trains everywhere in the world stop working in the meantime?
Quite simply, the company should be forced to dissolve and close and anyone that had anything to do with this should be jailed.
This is the only way to deter companies from doing this malpractice.
@@JohnDoe-bd5sz Silly, knee-jerk reaction. It's not the company who is at fault but a few people, some of them at the top. If you were to dissolve the company, what would happen to hundreds, if not thousands, of innocent workers? This kind of knee-jerk bullshit, headline style reaction is just as bad. Grow up.
@@roo72 The problem is, this will just end up like the DieselGate scandal, the top people will claim this was just some rogue employee or employees that did this, and the top had no idea.
In the end some engineer or a few of them and some mid level manager, will get fired and possibly jailed and the ones in the top, that did the actual ordering of these criminal practices will go free, and the company will just continue to do this.
Next iteration will be even more nefarious and obfuscated / encrypted.
The only way to stop these people is to dissolve the company or atleast force the company to get a complete new leadership, and subject to some form of government oversight, where they will be forced to pay the government to supply them with some check-engineers that will have to sign off on anything they do with the software in the future.
@roo72 Ok, maybe not _dissolve,_ but certainly something big to -force- convince every other mf against doing that.
Amazing work. You guys are heros for publicising this and presenting it so clearly for everyone to see. I hope that Newag loses a lot of business for this.
I'd like to see a requirement to provide source code from public transits infrastructure manufacturers in the future, because I strongly suspect that Newag is not the only company doing anti-competitive things like this in their code.
Even the bicycle riding communist is for more competitiveness 😤
Nice to see you here. It's pretty crazy that you can own the train but not what makes it tick. Even if there was nothing nefarious going on, what if the company went out of business? All that code could potentially be gone forever and there would be no way to fix any bugs that crop up in the future. Source code and toolchains should be provided so that the providers can build from source and directly upload firmware. IP rights shouldn't be able to dictate whether a train can turn on or not.
That was my thought as well, considering the behaviour of large firms of other commercial vehicles (John Deere).
More concerning to me is the mystery undocumented internet-connected box.
publicly available infrastructure, publicly available code
I can confirm that Both Germany and France's leading train manufacture's are also doing this...
wow this is wild, another example of why right to repair and open hardware are SO important
This isn't really right to repair. Newag didn't sell the locomotives with a requirement for themselves to do the maintenance. This is straight up fraud.
@@windwalker5765 but clearly if it's designed to only be repairable at a manufacturer's shop it's meant to give the impression that external maintenance isn't sufficient which would suppress external maintenance for no valid reason
Restricting right to repair and being fraud aren't mutually exclusive
This is exactly what right to repair means, having access to ALL of the relevant documentation for the things you own. The lockout code was hidden from the owners of the trains and it screwed them over. @@windwalker5765
This is deliberately designed to disable functions of critical to infrastructure piece of equipment in such a way to make it appear a 3rd party repair service caused damage. This would fall under deceptive buisness practices and possibly under laws regarding interference with commerce and public transportation with malicious intent. In the US doing this would be prosecuted under several serious laws under the "patriot" act.
@@iotkualt i would argue that intentionally restricting right to repair is always fraud, but sadly thats not law as it stands now in most countries... but yeah newag clearly went above and beyond when it comes to that kind of sabotage
somehow i get the feeling that if you want to screw over customers by restricting their ability to repair their purchases... maybe dont do it to the governments of countries... they kinda have just a little bit more power and leverage to fight back
These updates done by Newag days before the maintenance sound like a clear case of computer sabotage. That's not only "doing updates" without re-certification, that's doing updates with malicious intent also known as "installing malware"
But it was "a third party contractor", like all bad things any company does.
"doing updates without re-certification" reminds me Beoing 737Max fiasco... updating planes' software without pilot retraining
@@driverpsyche Max was different scenario but also cheating because money first...
"These updates done by Newag days before the maintenance sound like a clear case of computer sabotage." - I think that they don't have any strong evidence for that (without somebody from Newag actually snitching on their managers, which would be nice), that's why they didn't mention this explicitly in the presentation either. They would've had to do firmware dumps before the Newag guys came, but they probably didn't.
@@CoolKoonThey said in the video that they have a lot of differnt version of the code and they also said that they extracted the logs from the PLC which are showing the history of updates to the firmware.
Awesome presentation.
Newag should not just get fined. This warrants an investigation of the company internals and the people responsible for such malpractice should pay with some of their time. Community service or some jail time.
Dissolving such companies would surely be a deterrent for others to follow suit.
Edit:
All software and hardware schematics used by the government should be fully open source.
Right to repair is a must. Software locked hardware like heating in some cars is ridiculous. If it is cheaper to build it into every car you shouldn't be allowed to charge extra for it.
Also tangential to this I believe copyright is too long. 70 years? Should be more like 12 years. If you don't innovate in 12 years your company should go under anyways.
That was just my thought. This is not just stupid, this is criminal.
Last time a scandal like this occurred was the Volkswagen emissions scandal and -excluding the fines- the first person penalized was one of the engineers. None of the managers were penalized. Though I 100% agree that whoever responsible for the decisions should be held accountable but I am a bit pessimistic on this too. I sincerely hope the Polish and EU institutions prove me wrong this time.
Newag's owner is very close to PiS. He has protection. That's why they said "this is going to get political"
No, someone needs to go to jail.
Newag responded by filing suit against the team that uncovered this shit. Imagine my shock.
This will end with prison time for Newag highier ups. If this was done to some machine for private entity - i wouldn't hold my breath, but that was actually equipment for goverment co-owned entity. Those people are fucked and they know it.
Incredible work. Those PLC binaries are an absolute nightmare to work with and I generally tell clients that any useful black-box assessment is going to cost them way more than they would ever want to pay. Getting this quality and depth of reverse engineering done on such a challenging platform within such a short space of time is extraordinarily impressive. The fact that you were doing this to defeat predatory DRM is the icing on the cake. Huge props to all of you.
I hope they got payed well for this.
Nightmare? Those are Tricore processors, same as in Volkswagen.
As Polish citizen I'm proud of them! That's like movie story, 43 minutes before deadline they started it
The presentation also wraps up at 43 minutes. Maybe the answer isn't 42 after all.
If they make a movie out of it, the hacking is going to be all over the place
So like the Christmas movie Vabank, but with the events on 21 of December
BTW i'm not familiar with selectron plc, but siemens, omron, moeller, rexroth both allows you to upload a plc program from the plc (yeah, the logic is different there, downloading means you transfer program from pc to plc, uploading means the opposite. Upload and download isn't about the way the files goes, but the network hierarchy it goes trough. In hierarchy the internet is above your machine, and you load up to it if you send data, load down when you receive; but machines like a mouse or a PLC is below your computer, so sending data is download). Its just strange...
im rating for the movie about this story... :D
Wow! It's amazing that a traditional company trusted to collaborate with the hackers to find these instead of just giving up!
Money is a strong motivator. I think it's more the idea to ask hackers that needs a lot of credit rather than going through with it.
In the US, this would never be able to happen. It'd be questionable in most of Europe as well. Former Soviet block countries and Nordic countries tend to have a lot more "get shit done" attitudes.
Actually they migjt had some doubt that something fishy was going on. Giving up would have been accepting to give away some business to others without having a clue of the reason... Still the guy at WPS that signed to get hackers on board should get a hefty bonus 🎉
@@himaro101 Would that be not allowed by the law in US?
"White hacking" isn't something unheard of. Hiring a security company for an audit (they both try to hack you and analyze the code for possible security issues) is not unheard of. Tho usually companies pay to have themselves and their own products audited. Here it's different, but not as much, they hired the hackers to find a solution how to fix the train, because they couldn't do it themselves. Kinda just outsourcing. I was not chocked at all that they decided to hire someone to investigate the issues.
As a Pole I'm glad this is getting publicity. It's in the good interest of my country and the whole world to show manufacturers that these kinds of practices will sooner or later catch up with them and tarnish their good name. There are ethical ways of getting on top of your competition, for example being a good effin company providing good services, not being frauds. It's really sad that the current state of our world is such where companies focus on making profits first and if there's any time left then perhaps prividing a good service/product second. But profit oriented people are too short sighted to see that what guarantees long term profit is trust. Trust that your consumers have in you that keeps them coming back to you. I know these guys were contracted by the competition to do this so it is not like they did it purely out of good will, but you can see that they are passionate about this and wanted to make the world aware of such fraud upon learning about it while working for SPS. They are good people.
Part of the problem is that nowadays, companies are often owned temporarily by private equity firms that are only interested in very short-term profits, sometimes even keep changing hands between several private equity firms. Of course even when that's not the case, there is still the problem of management getting bonuses based on short-term profits.
@@johaquila Yeah. That's the problem of the entire system we live in, sadly.
My Scout brother
I think one reason for that is, that most penalties are not painful enough so the financial risk is not large enough to prevent this behavior. Imagine making 100 million profit in 10 years and then having to pay 10 million penalty ... that's still 90 million profit.
@@infinitynoka2209 Brother... There isn't many of us left.
26 non-incremental code versions for 30 identical(??) trains... It seems to me that the Newag Agile Release Train is fully functional... 😬
They are just doing A/B testing.
At that point it's more like alphabet testing
Just adding onto this thought. If one of these trains already reached End of Life (or ran enough to need a full overhaul) then i would guess that the software is far beyond testing fase. I can understand if delivery schedule was a bit too quick for full testing of all functionalities that during delivery of the first trains the software was stil incomplete. But so far into the life of these trains and with normal maintenance. These trains all need to be running the same software. Or maybe the last two versions or something. These are all the same series of trains. Should be the same hardware.
I think I know what happened here. I am not familiar with this flavor of PLC (I do Allen-Bradley), but I imagine all of the PLCs are programmed from the IDE instead of a binary file. As such, it would be recompiled every time they download the code to the PLC, and any small change would be reflected in the binary files. Such small changes could include serial numbers (hard-coded as they basically change a constant in the code) or adding the new kill checks. If the PLC holds a copy of the source code even changes in comments would stand out in a diff.
I am sure they would have checked for a local copy of the source code first (stored as a database file) even though they haven't mentioned it. That said, the method they used to pull the machine code might not have been able to pull the database file.
Oh, that is just PLC-Programming and mechanical engineering. Everything is just "unique" - but those professional PLC-Programers hold it together, with ducttape and string..
Time to add full source code disclosure to the bid specifications…
Only to discover at the end of the maintenance contract that you bought crappy code, and even OK'd it. Because well ... why even pay some nerd to do unimportant checks before you sign the deal of the century?
«Nonfree software is an injustice and should not exist.»
~ Richard Stallman
And you won't get a single bid. The only people that get source code are the DOD and you know what they pay for it.
@@otm646No, you'll get one bid by the one company that noticed they can charge 10 times the equipment's worth if they are the only bidder. And the next time everyone's in again because they want that nice 91% profit margin, too.
And it will work even better when all train operators insist on getting the code. Because any company not bidding will also not sell any trains.
The railway operators are more like defense apparatus than individual car buyers. They already pay a lot, they don't have much of audience competition, they are considered strategic state assets, and they have comparatively easy access to legislature
It was a good question at the end: Do they sell in other countries? Yes
It'll be interesting to see this become a multi-national scandal outside Poland as well, the EU will need to get involved, at least assuming only EU... It's like the train version of vw's diesel emissions "hacks".
Newag's international deliveries outside Poland were limited, I recall only two contracts in Italy for just a few units. Newag has no maintenance business there, so no reason for cheating.
The bigger contract in Bulgaria was for the manufacturing of Siemens' metro trains, and a French company just ordered Newag's locomotives last month.
@@Maciek888 Thank you for that!
I'd expect anyone having dealing with them now or in the future will question their ethics for any consideration should they apply for new bids after this. Oh look, it's "those guys".
Actually it is worse than the diesel hack... that was meant to hide pollution, but this is forced service on otherwise functional units, and trains are aint cheap...
These "foreign" Newag train units could be a good evidence in the trail. I'm not sure, but I suppose that those Italian trains made by Newag will not have such malware. Because they were just sold without the maintaining packet after the warranty period. Operating area of those Italian trains is far away from Newag workshop in Poland. I don't know where actually those trains are serviced but I assume that somewhere in Italy and not by the Newag stuff. Because it is not worth transporting them thousands kilometers from Italy to Nowy Sącz only for service. The trick is that those Italian trains have also GPS and GSM devices and nobody knows if it is possible do implement malware remotely.
The trick is also that these Italian operators which had owned Newag trains, refused further purchases from Newag although they had such option. They had a quarrel with Newag when some of those trains just stopped, needed servicing and Newag didn't give approval of fixing the units without its participation. The narrow gauge Newag trains in Sicily were out of service for 16 months. And Italians didn't agree for Newag "proposal". Sicilian Newag units have been finally serviced by Spaniards (CAF). And Sicilian train operator decided not to buy any further Newag trains.
Wikipedia lists a local operator in south eastern Italy (Ferrovie del Sud Est) running 5 Newag Impuls trains...
That's mean... they made it look like parking the train for a while made the secondary compressor go bad...
Finding the geo fencing areas feels a bit like those Diesel exhaust controller speed-distance regions.
"Finding the geo fencing areas feels a bit like those Diesel exhaust controller speed-distance regions" - Yeah, but this is even worse, because it's a clear-cut anti-competitive behavior. There's no way they can explain this away in any way possible.
Both are anti-competitive behavior. VW cheated emissions tests so they could sell cars with performance their competitors couldn't (legally) match.
This is the exact same reason why a lot of icecream machines are broken at Mc Donald's in america. While the main Mc Donald's company has secret agreements with the icecream machine manufacturer, it is a pain in the ass for the actual franchise owners to service their icecream machines, because they frequently stop working and basically every other step in the manual for the Mc Donald's employees states "call certified repair technician". Over 40% of the revenue of the icecream manufacturer comes from "servicing" for Mc Donald's and there are secret codes to unlock the machines.
And John Deere. They do this with their farm equipment.
Its worse then that their stocks owned in part by the same finacal firms and they do it to boost stock prices.
"Over 40% of the revenue of the icecream manufacturer comes from "servicing" for Mc Donald's and there are secret codes to unlock the machines." - That's "laissez-faire" America for you right there: cheats, frauds and crooks having a blast. In literally EVERY country in Europe they'd be investigated and (most importantly) prosecuted for fraud.
@@LasOrveloz "They do this with their farm equipment." - No, IIRC their method is much more sophisticated: they use components pairing and thus their machines "only" break if you attempt to swap those parts out yourself. This was much more sinister because those Polish trains literally broke for no apparent reason (i.e. a real fault).
@@LasOrveloz”you’ll own nothing and you’ll be happy. “
i was not expecting to watch 1h long presentation about hacking trains and enjoy it so much!
I never imagined you could spend 1h away from -suffering- factorio!
Need more constant combinators and chain signals...
Pozdro.
hey Trupen you rock!
have a great day!
Every factorio player is a software engineer in the making
How shameful that a company does this with public transportation equipment. Absolutely embarrassing and unacceptable. Thank you for the very interesting and eye-opening talk.
History has proven across many centuries that privatizing any element or fully of a social service from trains to boats, to electric and water generally ends up in poor quality predatory services. The world over needs to outright ban privatized social structures which are necessary for life. We shouldn't be forced to drive cars, we shouldn't be lorded over in locked trains, or at the whims of greedy shareholders because they want to reach quarterly goals by skimping on maintenance.
As a Automation Engineer who works in a maintenance team and manufacturing engineering in one of Polish, local automotive parts factory I assume that it is not a coincidence, that Newag choose such an exotic equipment to use in their trains. It prevents that somebody from outside service could easily do reverse enginnering of the PLC software. Or maybe this is some kind of guidelines when choosing the specific devices to be used in the trains industry, but I don`t think so. If they for example used an Siemens PLC`s and other peripherals it could be easier to find out what is the case, because we could just upload the program from the controller memory to the TIA Portal software and learn how the program works. Siemens is providing enough documentation for understanding how to program their PLC`s. The same with other manufacturers - Beckhoff, Mitsubishi, Omron...they are very common and easy to program. I know, there could be the possibility that the program blocks could be locked / secured with the password and make them unable to open in the editor. But as I know it all depends how the agreement between the customer and buyer is concluded, sometimes machine suppliers don`t want to give me access to the PLC software but normally it should be shared for example if I want to find out online why the machine is not working as it should. Sometimes during repair some of machines in our plant I have also discovered bad practices of the programmers / machine integrators. Example - when we replaced one of the components of the machine it would not operate correctly because there was a device serial number mismatch (HMI panel). There was a function written in the PLC code which compared the serial number stored in the data block, and if it`s not the same then it wouln`t be possible to switch the machine in "automatic mode".
Redford, q3k ,MrTick - good job, my congrats!
I'd rather think that this is because those exotic PLCs are way cheaper than Siemens ones. Most likely it's the same as with Asian companies manufacturing cheap electronics. Nowadays, they often choose microcontrollers from Holtek or Padauk instead of more common ones like AVR, PIC, ARM-Cortex-M0 and the like in order to cut costs. Servicability or even availability of debug and test equipment aren't really important because it's cheaper to replace a faulty PLC instead of repairing it in the field.
@@vbinsiderdefinately that was not the case. Different in price is not that significant unless you go for big screen resolution HMI panels. They probably have chosen manufacturer who is not programmed easily but consider parts availability or running out of business by the vendor.
Well, i do automation too, but in some cases you need a check - as is said in video - different firmwares in same device can behave differently. If i will be the one performing this behaviour, i would also lock the code - where is the point "locking" the serviceability of the device, to checks like this, when i provide unlocked code with the device and everybody with few hours in code can bypass the function?
Regarding hard coded serial number, it is highly possible that the component you were replacing was crucial to safety of the plant. Usually it is easy to replace the serial number but needs proper credentials for it (safety).
"It prevents that somebody from outside service could easily do reverse enginnering of the PLC software." - Heh, the fact that Ghidra already had support for this architecture means that this equipment isn't nearly as rare as Newag guys thought it would be....
"If they for example used an Siemens PLC`s and other peripherals" - I have a feeling that the PLC they've chosen was significantly cheaper than the Siemens stuff....
Believe it or not, straight to jail. This whole thing is so insidious, it's crazy. I've seen the writeup a few weeks ago and was shocked. Regulators and prosecutors really need to get involved with this thing. Great talk and I hope we will see some massive changes to make sure no other manufacturer ever tries this thing again.
Lets hope the fines are a significant % of global turnover... The penalty needs to really really hurt if it's to be a discouragement..
and indeed, that's a possibility since newag is now under criminal investigation under two articles of the Polish penal code (art 269 sabotage if critical infrastructure, from 6 months to 8 years prison, and art 286 unfavourable handling of other party's property i.e. the client's), as mentioned in other comment.
do you have the writeup? I can't find it
The geofencing enforced shutdown and shutdown based on date code is 100% egregious abuse. I hope the city gets all their money back for these trains. Also the company should be investigated to see if this is internal practice to add this malware. If so, programmers and managers should go to jail.
1. The trains are not being used by a single city, they're being used by various operators all over Poland, mostly owned by regional authorities (voivodships, kind-of equivalent to US states or German lands). Some have also been exported to Italy and they are also supplying trains for Bulgarian metro, but given that Newag doesn't do maintenance there they don't really have an incentive to cheat, so this scheme is limited to Poland (probably...hopefully)
2. They are being investigated by the prosecution for fraud and industrial sabotage.
I don't think the programmers should necessarily go to jail, maybe a hefty fine if they were paid off/bribed, but it's almost certain that they were given an ultimatum of some kind by their boss. Decisions like this are absolutely made by upper management, not the programmers.
@@OutbackCatgirli don't think "just following orders" legally cuts it as justification for stuff this bad (nor should it)
@@OutbackCatgirl "I don't think the programmers should necessarily go to jail" - The programmers would've had the right to refuse doing work that's clearly illegal, so they probably won't escape a sentence either (although their sentence will probably be lighter). The main person to be prosecuted is the manager (company owner?) who was the mastermind behind this..
@@pietiebrein The law normally recognises that employees are subject to coercion because most people aren't financially secure enough to just quit their job. If your boss tells you to go break somebody's kneecaps, "I was just following orders" isn't going to be a defence, because breaking kneecaps is inherently illegal. But if your boss tells you to write some code to do xyz, you're generally not held personally liable, because writing code isn't illegal _per se._
I always thought these kind of practices were limited to consumer devices; apparently the whole industry is now infected.
Has been for 10+ years.
In companies people responsible for procurement/ guarantee/ repair aren't paying from their own pocket and often got 0 consequences if the company suffers long-term losses because of their dumb decisions. And higher-ups have no clue what they are looking at (or don't care). "emergency repair: replacement of dingle-bob 32.3STFU v2 - 15.000$"
Welcome to new reality :)
It's everywhere. John Deere is famous for this kind of crap.
I work for a YT channel that has fun servicing various electronic devices. A while ago we had a circular saw from Milwaukee that wouldn't start. After some digging it turned out the microprocessor that controls the motor was busted. Out of curiosity we checked if replacing the CPU would help, but what we learned is that the firmware on the CPU is custom and locked. We would have to unlock the CPU to read the custom ROM, but the only way to do this is to type in a 16-character password, and if you type in the wrong password ONCE, the entire chip is instantly wiped clean. How insane is that? A freaking saw that if you try and read the ROM on a chip in order to fix it, it has a self-destruct function! Like, I sort of get it, you have to protect trade secrets, but come on, is this some kind of James Bond reference I'm not getting? XD
It was always way worse in business devices, the difference is some businesses were quite open about it.
@@B3RyL On the other hand, this proved to be very handy when Russians stole dozens of Ukraine John Deere tractors and the factory disabled them remotely. It has pros and cons, so I'd say as long as the company is transparent about it ("We can disable stuff, we won't tell you how exactly because trade secret, but we can do it, turn to us with repairs of PC stuff"), then it's okay to me. But the train example here is basically intentionally sabotaging competing repair shops, which sounds insane.
After the case was revealed, Janusz Cieszyński (former Minister of Digital Affairs) admitted that the matter was known to the Council of Ministers and the special services since May 2023, when it was presented at the cybersecurity committee. Earlier, since 2022, the case was known to UOKiK and UTK. In October 2023, the Internal Security Agency filed a notification to the prosecutor's office in Nowy Sącz "regarding software for Impuls trains". In December, the regional prosecutor's office in Krakow took over the investigation and is conducting a case on the suspicion of committing crimes under Article 269 §1 and Article 286 §1 of the Penal Code.
Googled and translated these articles of Penal Code:
Art. 269
§ 1. Whoever destroys, damages, deletes or changes IT data of particular importance for the country's defense, security in communications, the functioning of government administration, another state body or state institution or local government, or disrupts or prevents the automatic processing, collection or transmission of such data, is punishable by imprisonment from 6 months to 8 years.
[...]
Art. 286
§ 1. Whoever, in order to obtain a financial advantage, causes another person to unfavorably dispose of his or her own or someone else's property by misleading him or her or by taking advantage of an error or inability to properly understand the action undertaken, shall be subject to the penalty of imprisonment from 6 months to 8 years.
for non polish people, what are those articles referencing ?
@@seedz5132 Art. 286. [Fraud]
§ 1. Whoever, with the aim of obtaining financial gain, leads another person to a disadvantageous disposition of their own or someone else's property by deceiving them or exploiting a mistake or inability to properly understand the undertaken action,
is subject to imprisonment from 6 months to 8 years.
§ 2. The same penalty applies to anyone who demands financial gain in exchange for returning property unlawfully taken.
§ 3. In less serious cases, the perpetrator
is subject to a fine, restriction of liberty, or imprisonment for up to 2 years.
§ 4. If the act described in §§ 1-3 is committed against a close relative, prosecution occurs upon the victim's request.
Art. 269.[ Damage to Computer Data ]
§ 1. Whoever destroys, damages, deletes, or alters computer data
of particular importance to national defense, communication security,
government administration functioning, other state bodies or state institutions, or local government, or disrupts or prevents
the automatic processing, collection, or transmission of such data,
is subject to imprisonment from 6 months to 8 years.
§ 2. The same penalty applies to anyone who commits the act described in § 1,
by destroying or exchanging a computer data carrier or destroying or
damaging a device used for the automatic processing, collection, or
transmission of computer data.
@@seedz5132 basically that you can't f*ck with the state and it's critical national infrastructure otherwise the state will f*ck you
@@seedz5132 destruction of computer data and fraud
Literally laughed my ass off at 57:14 when he mentions the "international compressor failure day"!
:)
This is just gold. I always love to see shady companies being caught red handed.
They are not amateurs.
Newag is a huge company in Poland, their trains drive in almost every Polish city.
Many modern PLCs can be programmed in C or C++ but not all manufacturers document the hardware to that level. Siemens is an example of a company which does officially support it- and their newer PLCs actually run Linux.
Siemens learned that lessen the hard way, too, IIRC.
@@TheAgamemnon911 What are you referring to with your recollection? :)
As far as I know, only the "ODK" PLCs from Siemens supports this . I think there is a new way with the Xcelerator or something like this but this is only in a limited testing field.
But a normal 1200 or 1500 PLC can not be programmed with C or C++ in TIA Portal. The only possible languages are FBD, LADDER, AWL, ST (SCL), Graph and CEM (not all languages are supported by the 1200 series).
@@oy12laStuxnet? lol
But why would anyone want to break the Linux Direct Rendering Manager?
When I saw the news story I was super curious. Ultra happy that you guys showed this off!
I love how -- given proper context -- a simple utterance of "no comment" can be so telling.
It's also the funniest possible response when the real answer is "no, not yet" 😄
This is the most exciting talk I've seen in a long, long time.
Dobra robota chłopaki, to jest historyczny moment!
"to jest historyczny moment!" - Indeed it is...
Tractors, trains, cars, computers, phones, and other things of which we thought they were utilities. But with the "magic" of DRM you can extract rent from the users, so that buying is not buying but renting. You will own nothing and you will be happy.
Until you are unhappy and hack it to pieces and tell them you are mad as hell and you are not gonna take it anymore 😂
Kurde ale chłopaki sobie zrobili imię. Gratuluję do udanej misji (I to jeszcze 43min brakowało do przegranej. Poprostu Mission Impossible)
mają prawo ale źle ze tak z tym biegają po konferencjach. mnostwo producentow stosuje takie praktyki, niemcy juz zapomnieli o aferze wolkswagena? uczepili sie akurat polskiej firmy. produkcja pociągow to jedna z nielicznych branz gdzie Polska robi cokolwiek pod wlasną marką. gdzie i tak patrzac np. na lokomotywy to raptem 1/3 nowych lokomotyw to polskie produkcje, a reszta to siemens i bombardier. newag bedzie mial narobione gnoju no i pieknie, reszte pociagow kupimy od niemiec i bedzie pieknie. tak jak unia chciala.
@@Orzeszekk a co, mają siedzieć cicho i nie odzywać się przez jakiś źle pojmowany patriotyzm? To nie ich wina, że Newag sra do własnego gniazda. Tutaj żadnych teorii spiskowych nie trzeba dorabiać.
@@Orzeszekk Po pierwsze - nie doszukuj się obcych działań tam, gdzie ich nie ma lub są mało prawdopodobne. Newag mógł nie kombinować, a to robił i nadal robi. To jest decyzja podjęta wyłącznie przez nich. Więc nie, nikt się tu nikogo nie uczepił. Pilnują, aby ten producent dotrzymał swojej umowy. Przypominam, że w drodze przetargu ten zobowiązał się nie tylko do dostarczenia EZTów, ale również CAŁOŚCI dokumentacji i oprogramowania niezbędnego do wykonania przeglądów P3 lub P4 (zależnie od operatora). Czego jak widać nie zrobił. Oraz żeby ten rzekomy producent działał zgodnie z prawem, czego jak się wydaje, również nie robi. Mówisz, że inni producenci robią tak samo. To wskaż mi kiedy np. Siemens, Fiat, Alstom czy nawet PESA albo Fablok miały takie afery oraz, jeżeli były, jaka była ich reakcja, postępowanie i następstwa prawno-sądowe...
Ale rozumiem, że skoro pewna partia (czy raczej "Partia") mówi, że wszystkiemu są winni Niemcy lub Unia, więc tak musi być... Tyle że nie. Tak nie jest. Pomijając kwestie geopolityki i tego, jak mało same Niemcy czy nawet UE znaczą na globalnej arenie międzynarodowej, VAG też złapano za ręce i też musiał naprawiać szkody. W USA czy Kanadzie odkupywali kilkuletnie, używane auta po pełnych lub blisko pełnych cen zakupu pojazdów! A masa problemów jeszcze przed nimi bo z tego co wiem w tle wciąż majaczy widmo cofnięcia europejskiej homologacji dla pojazdów z problematycznymi jednostkami napędowymi. Notabene analogiczna sytuacja jest tutaj bo UTK teoretycznie może cofnąć homologacje Impulsów ze zmienionym oprogramowaniem, jako że to nie było częścią pojazdu w momencie certyfikowania. To by była heca, jakby się okazało, że Newag musi przyjąć używane przez kilka lat EZTy, zwracając koszty przetargów...
Jest to tylko i wyłącznie ich (Newagu) wina, a nie jakichkolwiek "niemców", jak to mówisz. Po drugie - mamy jeszcze Pesę czy Fablok, produkcja Alstomu czy Siemensa również odbywa się w Polsce. Czyli produkt jest polski, podatki fabryki rozliczane są w Polsce, podobnie jak podatki pracowników tej fabryki. Mamy też całą masę podwykonawców, którzy produkują podzespoły na potrzeby kolei, w tym również tych zagranicznych producentów. Oraz kilka innych i mniejszych zakładów zdolnych do produkcji taboru kolejowego. Ale tego w pewnej stacji telewizyjnej nie powiedzieli, prawda? Tak samo, jak tego, że części tych fabryk, gdyby nie zagraniczne inwestycje, w ogóle by nie było. Bo to przeczy strasznie głupiej, prostackiej i wypranej ze wszelkich faktów narracji. Ale spoko, jesteśmy narodem, który w jednym zdaniu potrafi się wywyższać nad innymi, tylko po to, aby 3 słowa później pokazać jak im zazdroszczą. Co zresztą uczyniłeś w swoim komentarzu. Bo przecież produkcja dla innych to hańba! W końcu takie Chiny wcale nie stały się, a Indie nie są na dobrej drodze do zostania globalną potęgą gospodarczą i militarną właśnie dzięki produkcji dla innych...
@@Orzeszekkszkalujo wielkie pociągi polskie, husaria!!!!!!!!!
@@Orzeszekk i bardzo kurwa dobrze, pretensje miej do janusza który sabotuje strategiczną gałąź własnego państwa dla paru szekli a nie do tego kto to ujawnił, co to kurwa za logika xD
How about we fund a giant kickstarter to have those guys look at top 10 popular models of washing machines? 😂
That may just end the entire consumer electronics/utilities market in the EU - all for it :D
SU and take my money then lol
Printers...
I doubt firmware will prevent the thing from self destructing - these days they break due to lack of structural integrity and the cheapest way possible of designing/building those things.
Excellent work even with that tight deadline!
That geo-fencing is the real smoking gun for me showing they're not legitimate locks and without a doubt an anti-competitive measure along with the timeline of the updates. I hope Newag gets some well deserved fines (and maybe criminal charges) from the Polish government but also be forced to disclosure the PLC source code to customers, the courts and maybe another future talk's slide deck.
Absolutely criminal charges. This is premeditated sabotage of critical infrastructure
Lets hope the fine is a substantial % of their global turnover. It really needs to hurt if it's going to be effective...
Three smoking guns -- geofencing, _predicted_ failures on _predicted_ days, and a matched check condition on two systems (the HMI and PLC both looking at >=21 days of service, then movement, but neither of them sharing a codebase)
Great work of the hacking team!
This is why Right to Repair is so fundamentally important. All kinds of equipment needs to be serviced, from consumer, to medical, industry, transportation and military.
Right to Repair covers only "people", not companies.
The EU isn't a communist organization. B2B isn't regulated that much.
It reminds me of a story from a train mechanic I overheard while travelling by train once. He said that while adjusting the valves he would make one other valve little loose, so that it causes a problem in the future. He noted which valve, which gave him an advantage for the job. He would truthfully declare that this would take 10 minutes and he fixed the valve and made another loose. A person without the knowledge about which valve was loose, would need to check all 12 of them and clock 120 minutes.
When I saw a title I assumed this will be just some hacking of some train systems just as an exploration, but wow, that is a real DRM, and a lot of malice discovered. As a Polish living in Switzerland, I really hope the manufacturer will see the consequences of their actions. Geofencing and date locks, totally illegal.
th-cam.com/video/8OB2NqcSDXQ/w-d-xo.html
Więcej czasu antenowego dla Pana Kleszcza! i dożywotnia fucha konsultanta w Urzędzie Transportu Kolejowego 👍👍👍
This presentation should be set as mandatory educational material for all legal and purchasing departments. Well done!! And thanks for making your findings public!
I'm sitting on a tender review panel in the UK for new train stock. At our next meeting, the first hour will be this YT video...
I am not even close to Poland, but this was fun to watch.
Great job guys
"It is working on my machine" taken to next level with geofence ;-)
Impressive and frightening at the same time.
Excellent work and presentation! 😎
Yeah, frightening. It makes you think just how many companies are doing these kinds of things at this very moment while we're all unaware of it.
Comment for faster algorithm pick-up.
Excellent work Redford, Q3k, MrTick.
Poland is pround of You ❤
Ransomware servicing model ;D Good job lads!
Already standard in every cellphone
"Tricore has separate data and address registers"
Wait a sec, are we sure this isn't just a Motorola 68000 in a trenchcoat?
It's called tricore so it's probably THREE 68000s in a trenchcoat
The Selectron CPU 83x Series processor is based on the industrial 68000 version, 84x is based on ARM processors. The PLC log of these machines can be pulled from the unit with a basically free tool. In that log is to see when the software was uploaded and what was the windows user name, the timestamp can be wrong because the rtc is running only limited time if power was lost and can also be altered with the same tool. But then again this change of the rtc time will show up in the plc log report.
@@jm3779 So it IS a 68k in a trenchcoat!
@@SuperSmashDolls Not surprising since the embedded version of the 68K is still in production and being in industrial settings.
the 68k is a cpu that's easy to program for at a low level so it makes sense for embedded use
International Compressor Failure Day -- love it!
Congratulations to an excellent analysis and presentation. Well done!
Excellent presentation, articulate, funny and informative !
I wish i had gone to CCC to witness this live. Great work!
Tickets sold out really quickly though
@@thewhitefalcon8539 even the room was completely full and they were not allowing more people in 10min before the start of the talk lol
@@maximeborgesand the room was HUGE with a 2 floor stand (3-4 k people)
Awesome that they were able to pull this off with a deadline like that! I was waiting for the talk when I read about it in the newspaper.
This is important, not just for Poland but it is a clear precedent that all countries, counties, towns, cities, municipalities need to look into this side of things. Trusting private companies to run our stuff is a risk and they have to be fully transparent about EVERYTHING. At worst, these can be used as part of cyberwarfare, sabotage at a distance.
And that mystery box (Prob a RPi and serial interface bus) linking the PIS mobile 4G coms to the train data bus would be the exact vehicle to do it via...
Już zapomniałam o tej sprawie i nie spodziewałam się znaleźć konferencji na ten temat, dobrze posłuchać w detalach z pierwszej ręki, co się tak na prawdę stało. Dobra robota chłopaki 😊
This is such an amazing talk, I can't believe how difficult it must have been to reverse engineer all that code to find these awful anti-competitive blocks, well done to the team!
Jestem z Was dumny chłopaki!
As an electronics engineer - excellent and impressive job, guys. And also great presentation with many funny moments. It really was a joy to watch.
About the re-certification topic: If newag partitioned their code into safety-relevant and non-safety-relevant parts, they might be allowed to make changes to non-safety-relevant parts without requiring any certification.
Orange and non-orange parts!
As the train's manufacturer they get to decide if it's a significant change to code. For example, "does it change the train's response to driver inputs?", like a change to brake controller behaviour, electrical braking only in brake steps 1 & 2, instead of blended (friction & electrical) braking beginning in step 2. That would require recertification, obviously.
@@capnskiddies surely any change to the ability to move the train affects safety, if there is a fire in the service yard and you need to move stock to prevent it burning then it being disabled for anti-competitive business reasons is safety critical. Also, disabling the train does change the "response to driver inputs".
If this is their approach to software, every piece of hardware on those trains needs similar depth of examination.
That will just lead to international passenger combustion day
29:00 “That’s called future proof”
😂😂😂 omfg i’m laughing to hard
Just awesome investigation and a nice talk! Greetings to our most respected neighbors in Poland, thank you for visiting. Shame on Newag's practics!
Brilliant talk, hoping for an extended version with ALL THE SLIDES some day.
Huge respect for what you did guys!
Reading about the story and timing of things, that was crazy!
Any time I saw these new trains on Polish stations, I expected them to be of decent quality.
Well, the producer had other priorities.
Cause programming malfunctions into equipment is not quality.
Huge respect guys for solving this insane puzzle.
Very cool talk and great what you guys have found, also cool that you guys stick with the facts and do not assume things, very professional!
Brilliant! Amazing story, great skills, and released for public interest. Can't get batter than this.
Incredible work. Really looking forward to reading the technical report when it's published.
Since I've heard from this case I was soooo much looking forward to this keynote. Thanks for sharing guys
Very interesting, informative and entertaining! I wonder how many other big companies might be doing something similar to keep service income high and probably as a side effect also discredit competitors in the repair market. This is insane. The amount of different illegitimate locking mechanisms is impressive and seems like there was either criminal intent to make every failure look a bit different, so no one would get suspicious if all the trains had the same problem on the same day or they were incapable of even installing their own significantly altered and malicious code properly on the trains. I really wouldn't want to imagine what could happen if one of the locks misfired at the wrong moment and lead to a serious accident.
John deere
Actually some of the “locking” mechanism just normal security measures. When there is not at least one functioning compressor left it’s a good thing that the train will not allowed to move by its own, but after that is fixed the locking mechanism must release itself or the maintenance should be able to reset the lock. If that is by a tool or the HMI or a “cheat” code doesn’t really matter. What is concerning is that they say the software version was different from train to train. Because that should not be the case. After production and development, validation of all the requirements the software will be “frozen” and trains running in Service have all the same software version on that fleet. But don’t mistake that with a memory dump from train CPU memory that was in service, there of course will be a lot of data stored that divides between different trains. Like the train number itself and various counters, or for example all the wheel diameters. Therefore you need look carefully what is code and what is variable data.
@@jm3779 I would expect any normal security measures to be documented and known to all relevant parties.. So if secondary compressors don't work, the HMI should at least say train is not ready to go, call a maintenance; to the maintenance worker the compressor is not working, check it; all of that documented in a thorough "what to do when...".
The abnormal security measures, as presented in the video: HMI says everything is ok, maintenance says everything looks ok, and computer experts say the CPU decided to power down the inverters because the train is out of warranty.
the geofencing stuff was insane, good job on discovering this and great talk.
Excellent work folks. Not just on the reverse engineering, but also on the presentation. Zero bullcrap/fluff, straight to the point.
The comparison train sure got famous. "This is *not* how you compare dates." Indeed, I wonder what effin connections you have to have to get hired as a coder while producing such an atrocity.
I sure hope Newag gets punished way beyond a considerable fine. This is not just a monopolist stunt. This shit is actually dangerous and eerie (nationwide emergency transport case).
Lovely to have this talk, it's not long since I heard of the article. I wonder if this allows to fight corruption better, but fingers crossed. Pretty hilarious case, big shoutouts to these guys doing a massive job.
THIS is such a solid talk!
More like this please!
Dobra robota, chlopaki 👍
This is awesome, just glad your time didn't run out before you made your breakthrough :)
They are heroes. Fantastic work!
Much respect for everyone and especially presenting it so well for everybody!
i'm glad this went public, companies should not be allowed to do this, especially not when it involves crucial infrastructure.
this was an interesting presentation and i'm glad the had the balls to speak up about it despite companies being threatening with lawsuits.
YUP, full agree
check out volkswagen in USA scandal about emissions
Absolutely excellent work by everyone involved!
Absolutely brilliant! Thank you for sharing 🤗
Świetna robota, świetna prezentacja! Mnie zawsze zastanawia w ilu urządzeniach z mikrokontrolerem które mnie otaczają są takie kwiatki (i do ilu mogą zostać dodane aktualizacją :)
Pozdrowienia z Polski!
Nie musisz sie zastanawiac. W wielu. Troche jednak inaczej to się robi 🙂
I never thought that the world of train servicing could be so captivating. The way you delved into the technical intricacies of the train control system and the reverse engineering process was both fascinating and accessible, even for someone with a non-technical background like mine
that geofencing is wild
Amazing presentation!
The fact that these trains are certified to run on a public rail system with a set of undisclosed and evidently poorly written lock functions is to me the most terrifiyng part of this interesting presentation.
You have to hand it to them: they actually successfully found a way to implement very important business logic into mundane operation controllers. Hats off.
Also, they should be taken over by Microsoft, as Microsoft already has some experience in this kind of business logic.
Awesome seeing how experts doing a really good job, make the world better and also be able to communicate the results in a well understandable form! :)
Mockery and derision for the responsible department on NEWAG, it is a shame to throw away personal engineering principles for this absurd attempt to make money :(
Idk abt trains and only have very superficial IT knowledge, but I love these types of talks connected to real world problems/conspiracies, e.g the xerox stuff and other analyses
Well done. It feels like unlocking the Enigma code - which was also substantially done by Polish hackers (mathematicians).
what? it wasn't done by Benedict Cumberbatch sitting alone in a shed? /s
That was big! First Novocherkassk blew up, new years evening, and now I watched this.
36:24 "Violation of Newag's Intellectual Property Rights" -> "not moving the train for 21 days and then successfully starting it again". 😂
Brilliant work by you all! Wunderbar! And an excellent presentation, thank you!
Gratulacje panowie!
I heard about this story when it broke last year. Glad to see the talk is finally uploaded.
One of the presenters seemed a little concerned that the process could “get political”, but I think that is the best outcome for this-regulation and legal repercussions are the right way to deal with the company that did this and to prevent it from happening in the future. (I am still sympathetic, though-it is easier and more fun to dig into code and play with hardware than it is to talk to lawyers and legislators, especially if the hardware is literal trains!)
I think he was worried that it would be used as political weapon between both political sides, like, sadly, many things are.
Someone commented that Newag's CEO is closely related to the PiS party that just lost the election but was in power before that @@harrrson
If confirmed, all of those stuff is already illegal in Poland.
There's nothing getting political can make better.
At minimum it will hamper investigation at most just target the hackers due to retirees on the parliament seat not understanding digital technology.
It could be political in a way that the company is producing tangible industrial goods, paying taxes and offering jobs and making it suffer could have a negative political effect.
@@acidumirae Well every company does those things, including the bad ones. No, he's worried because until very recently, Poland had a corrupt far right government with close ties to the bad company. The government lost the election, though, so we'll see what happens next.
Loved the talk, excellent questions at the end.
Great work guys! This if with dates was hilarious. I will use this date comparison example in my lectures - mentioning source of course - it will only add spice to it. As a side note - I'm already sorry for this poor trainee who wrote || !tested this code.
Great work.
I particularly like the bad compressor date range check code and the GPS geofencing 🤣
I've been waiting for this talk
This honestly concerns me. I saw the article online and was honestly shocked.
DRM for trains. Public transport.
Absolutely awesome story. The reputational damage to Newag is so much huge. They will have to do something outstanding to wash away that shame. But how something like this can be prevented in future? Should it end-up with a law requirement to supply a source code together with an update of firmware? Code-review by customers or certifier before code gets into the train?
use a freedom-respecting license and make the code public, I doubt train operators have a lot of IT folks capable of analyzing an entire codebase
@@formbi Perhaps that should change? They have talented mechanics and technicians, why not employ code technicians that are well trained...?
The sad thing is that such regulation will likely only do more harm than good. What if the manufacturer just send you obfuscated code? A code that only they can understand is not so different from a black box binary. Even worse with advances in NLP, they can obfuscate the code in a way that looks like normal code to untrained eyes, but breaks in mysterious ways when you attempt to modify it. Then what? Make regulations requiring explanations to every line of code?
I totally get the good intention, but the reality is always complicated
i was genuinely surprised how quickly the talk went. great presentation
This is a really cool story! I could see this being made into a movie some day.
(hopefully not a horrible low budget netflix adaptation though)