EU Train manufacturer bricks Polish trains if they spend time at a third party repair shop

[Kat]

I doubt this affects anybody here, but it's a good illustration of why "right to repair" is so important and what lengths manufacturers will go to to keep ownership of maintenance and repairs. But I'm mostly sharing it because it's fucking wild.

Here are links to a couple articles about it:

Dieselgate, but for trains – some heavyweight hardware hacking

[this is an English translation of the original article in Polish, we occasionally publish the best cyber stories from Poland in English] A train manufactured by a Polish company suddenly broke down during maintenance. The experts

badcyber.com

Trains were designed to break down after third-party repairs, hackers find

The train manufacturer accused the hackers of slander.

arstechnica.com

The first one goes into how this was discovered, and the second one is the train manufacturer insisting they did nothing wrong with increasingly outlandish excuses. I recommend you read them both for their entertainment value, but the short version is this:

• Train operator buys trains from Newag
• SPS wins the contract to do maintenance because they bid considerably lower than Newag
• When the trains hit a million km, they must go through a extensive maintenance process which requires disassembling the entire train
• After this process, the trains would refuse to move
• SPS cannot find any explanation for it. They get a working train to try pulling the non working ones, and that one suddenly quits working too despite them having done nothing to it
• SPS is about to lose the contract and grasps for straws and hires a software hacking company Dragon Sector to investigate
• DS finds code which bricks the trains after it spends ten days at a third party repair shop
• They also find an unlock code which involves clicking in specific ways on the user interface, which magically gets the trains moving again
• DS finds a hidden modem in the trains
• When knowledge of the unlock code hit the media, Newag remotely patched it out
• Newag claims they have nothing to do with any of this, they will sue DS, and the hackers have violated many unspecified laws and made the trains unsafe, so the trains should be removed from service
• Newag says maybe the third party repair shop added the malicious code, so therefore Newag should be used for future maintenance
• A government official says Newag contacted him and said the malicious code was "unintentional" and they are "victims of cyber criminals"

Truth is stranger than fiction indeed.

 

[Mark]

They must have gotten the idea from John Deere. Too bad they didn’t get the memo of the consequences from them as well. Look up what they did with their tractors… they could have put a hurting on the agricultural industry if the course wasn’t corrected.

 

[Jawneh]

As I'm working in the bus industry building some of those bloody things, I can definitely tell you that very often there's more money in the service industry of those things than there is in manufacturing them. So I'm definitely not surprised that the manufacturer of the trains is incredibly salty that they aren't getting the service bid for them. Building in nonsense that bricks the trains though, that's some great shit right there though. And honestly, I don't think the trains themselves have much in terms of super complicated software, so hiding things in there should be fairly easy as there probably isn't anyone to track them back easily. Nor should there even ever be reason to doubt any of the manufacturers vendors for doing anything like that.

Insane stuff though.

 

[Kat]

o hiding things in there should be fairly easy as there probably isn't anyone to track them back easily.

Very true: it took DS months of reverse engineering to figure out what was going on, because there were no readily available tools to even dump the code, much less disassemble it into something understandable by a person. If they'd been a bit less obvious about it, they probably would've gotten away with it.

 

[Raine]

Right to Repair is such a massive, massive concern for everything. We've got a fuckin' refrigerator that wants to connect to wifi - for what? Why? At best that's just more stuff in there that can malfunction/break. Get the hell outta here.

Things like this that are built into massive behemoths are potentially ripe for missue of different flavors as well - one can easily imagine a scenario where one of these trains is effectively turned into a missile by disabling the controls while it's at full speed. You occasionally see videos about that with cars and shit being remotely shut down (which I've admittedly never looked into and could simply be clickbait or fearmongering, but I digress), and like... nobody should ever trust a corporation of any stripe especially in this day and age. Both to not actually do it, and to cheap out and do it so poorly that the backdoor/exploit/glitch is created. So, yeah.

Regardless, hopefully they're made an example of and the can gets kicked down the road a bit more.

 

[Mark]

You occasionally see videos about that with cars and shit being remotely shut down (which I've admittedly never looked into and could simply be clickbait or fearmongering, but I digress), and like... nobody should ever trust a corporation of any stripe especially in this day and age. Both to not actually do it, and to cheap out and do it so poorly that the backdoor/exploit/glitch is created. So, yeah.

Kill switches are commonplace in the automotive industry, from a manufacturer standpoint all the way through asset recovery. Look at the shit show Hyundai/Kia has found themselves in with USB exploits used to back door anyone with a cable into any car built within a certain time frame.

 

[Kat]

nobody should ever trust a corporation of any stripe especially in this day and age. Both to not actually do it, and to cheap out and do it so poorly that the backdoor/exploit/glitch is created. So, yeah.

What, you don't trust the company that snuck a modern into their trains so they could remotely brick them to adequately secure that hidden system? Especially after they have already accidentally bricked one train a year later than they intended to because somebody was sloppy with their conditional statements?

You're completely right. Essential infrastructure like that can become a target of rival nation states, which often have enough resources to break even well done security. Putting remote access in those trains is SO BAD for that reason alone.

My appliances that can connect to the Internet generally do not get connected because fuck that. They're almost certainly poorly secured and somebody is using it in a bot net. There's also a good chance the manufacturer is using it to gather data on you to sell (looking at you, Samsung with your smart TV's).

 

[Raine]

Essential infrastructure like that can become a target of rival nation states, which often have enough resources to break even well done security. Putting remote access in those trains is SO BAD for that reason alone.

Yup. Whenever "back home" is in the news, it's always bad news - and so naturally my mind immediately returned to earlier this year with East Palestine:

6 months after the East Palestine train derailment, Congress is deadlocked on new rules for safety

Congress responded to the fiery train derailment in eastern Ohio earlier this year with bipartisan alarm at railroad crashes causing potential disasters.

apnews.com

Governments want this to happen more often? This seems like a great way to go about it. And you've got shit like this which is Literal Nightmare Fuel™: