0:00:13.993,0:00:20.393 Give a warm welcome to Redford (@redford@infosec.exchange) 0:00:29.586,0:00:38.666 Q3K (@Q3K@social.hackerspace.pl) 0:00:38.854,0:00:45.454 and Mr. Trick (@mrtick@infosec.exchange) 0:00:47.546,0:00:50.586 and it's an honour to announce the talk 0:00:50.883,0:00:53.663 "Breaking DRM in Polish trains" 0:00:54.555,0:00:59.885 Reverse engineering a train [br]to analyze a suspicious malfunction 0:01:00.449,0:01:09.269 (Applause) 0:01:09.587,0:01:16.187 Hi, I'm Redford, this is Q3K and[br]MrTick (not Trick) 0:01:16.663,0:01:19.283 and we'll talk today about trains. 0:01:19.288,0:01:21.108 We'll do a quick intro, [br]tell the story and 0:01:21.108,0:01:23.153 then go into technical details. 0:01:23.851,0:01:30.361 So, we sometimes play CTF's together [br]with Dragon Sector and Poland Can into space 0:01:31.070,0:01:33.302 I work for invisible things lab 0:01:33.686,0:01:36.051 I mostly do low level security and reverse engineering 0:01:36.649,0:01:40.813 And [the others] will introduce themselves in a few slides 0:01:41.399,0:01:43.662 Let's start with the story 0:01:44.306,0:01:47.283 As you already know, the story is about trains 0:01:48.085,0:01:52.747 and the story actually starts a long time ago, in 2016 0:01:53.472,0:01:58.199 when Koleje Dolnoslaskie , a local polish train operator 0:01:58.820,0:02:04.028 bought eleven Impulse trains [br](of which one of them is on the photo) 0:02:05.589,0:02:07.176 Then after some time, 0:02:07.653,0:02:12.123 the train started reaching one million kilometer on the odometers 0:02:12.622,0:02:19.776 and by this amount, you must do a big maintaince 0:02:20.163,0:02:24.667 and because the manufacturers warranty already expired 0:02:25.084,0:02:27.962 they started a tender 0:02:27.962,0:02:30.901 so to select the best offer for servicing 0:02:31.821,0:02:33.819 and the offer was won by SPS 0:02:34.208,0:02:36.853 it's an independent train workshop in Poland 0:02:37.087,0:02:41.224 And in the first quarter of 2022 0:02:41.441,0:02:43.972 the first train reached the workshop 0:02:44.239,0:02:50.797 So, let's see the public timeline 0:02:51.032,0:02:57.098 The servicing started with train #24 0:02:57.287,0:03:03.184 Their workshop took apart the whole train 0:03:03.436,0:03:05.997 sent the parts to the manufacturers 0:03:06.385,0:03:08.450 and then assembled the train back 0:03:08.617,0:03:10.547 But the problem was that 0:03:10.714,0:03:13.611 the train didn't start afterwards. 0:03:13.611,0:03:16.676 And, then, they took another train for servicing, 0:03:17.114,0:03:19.112 and it was the same: 0:03:19.112,0:03:21.023 the trains didn't want to start 0:03:21.023,0:03:22.689 after servicing. 0:03:22.689,0:03:25.496 And, what's even more interesting 0:03:25.496,0:03:27.097 is that in the meantime 0:03:27.097,0:03:28.679 another workshop 0:03:28.679,0:03:32.064 started servicing trains for different train operator 0:03:32.332,0:03:35.936 and they run into exact the same problem 0:03:36.173,0:03:38.236 So, it's getting a bit suspicious 0:03:38.486,0:03:42.380 and the story got noticed by media in Poland 0:03:42.581,9:59:59.000 because you had like less trains running