1 00:00:13,993 --> 00:00:20,393 Give a warm welcome to Redford (@redford@infosec.exchange) 2 00:00:29,586 --> 00:00:38,666 Q3K (@Q3K@social.hackerspace.pl) 3 00:00:38,854 --> 00:00:45,454 and Mr. Trick (@mrtick@infosec.exchange) 4 00:00:47,546 --> 00:00:50,586 and it's an honour to announce the talk 5 00:00:50,883 --> 00:00:53,663 "Breaking DRM in Polish trains" 6 00:00:54,555 --> 00:00:59,885 Reverse engineering a train to analyze a suspicious malfunction 7 00:01:00,449 --> 00:01:09,269 (Applause) 8 00:01:09,587 --> 00:01:16,187 Hi, I'm Redford, this is Q3K and MrTick (not Trick) 9 00:01:16,663 --> 00:01:19,283 and we'll talk today about trains. 10 00:01:19,288 --> 00:01:21,108 We'll do a quick intro, tell the story and 11 00:01:21,108 --> 00:01:23,153 then go into technical details. 12 00:01:23,851 --> 00:01:30,361 So, we sometimes play CTF's together with Dragon Sector and Poland Can into space 13 00:01:31,070 --> 00:01:33,302 I work for invisible things lab 14 00:01:33,686 --> 00:01:36,051 I mostly do low level security and reverse engineering 15 00:01:36,649 --> 00:01:40,813 And [the others] will introduce themselves in a few slides 16 00:01:41,399 --> 00:01:43,662 Let's start with the story 17 00:01:44,306 --> 00:01:47,283 As you already know, the story is about trains 18 00:01:48,085 --> 00:01:52,747 and the story actually starts a long time ago, in 2016 19 00:01:53,472 --> 00:01:58,199 when Koleje Dolnoslaskie , a local polish train operator 20 00:01:58,820 --> 00:02:04,028 bought eleven Impulse trains (of which one of them is on the photo) 21 00:02:05,589 --> 00:02:07,176 Then after some time, 22 00:02:07,653 --> 00:02:12,123 the train started reaching one million kilometer on the odometers 23 00:02:12,622 --> 00:02:19,776 and by this amount, you must do a big maintaince 24 00:02:20,163 --> 00:02:24,667 and because the manufacturers warranty already expired 25 00:02:25,084 --> 00:02:27,962 they started a tender 26 00:02:27,962 --> 00:02:30,901 so to select the best offer for servicing 27 00:02:31,821 --> 00:02:33,819 and the offer was won by SPS 28 00:02:34,208 --> 00:02:36,853 it's an independent train workshop in Poland 29 00:02:37,087 --> 00:02:41,224 And in the first quarter of 2022 30 00:02:41,441 --> 00:02:43,972 the first train reached the workshop 31 00:02:44,239 --> 00:02:50,797 So, let's see the public timeline 32 00:02:51,032 --> 00:02:57,098 The servicing started with train #24 33 00:02:57,287 --> 00:03:03,184 Their workshop took apart the whole train 34 00:03:03,436 --> 00:03:05,997 sent the parts to the manufacturers 35 00:03:06,385 --> 00:03:08,450 and then assembled the train back 36 00:03:08,617 --> 00:03:10,547 But the problem was that 37 00:03:10,714 --> 00:03:13,611 the train didn't start afterwards. 38 00:03:13,611 --> 00:03:16,676 And, then, they took another train for servicing, 39 00:03:17,114 --> 00:03:19,112 and it was the same: 40 00:03:19,112 --> 00:03:21,023 the trains didn't want to start 41 00:03:21,023 --> 00:03:22,689 after servicing. 42 00:03:22,689 --> 00:03:25,496 And, what's even more interesting 43 00:03:25,496 --> 00:03:27,097 is that in the meantime 44 00:03:27,097 --> 00:03:28,679 another workshop 45 00:03:28,679 --> 00:03:32,064 started servicing trains for different train operator 46 00:03:32,332 --> 00:03:35,936 and they run into exact the same problem 47 00:03:36,173 --> 00:03:38,236 So, it's getting a bit suspicious 48 00:03:38,486 --> 00:03:42,380 and the story got noticed by media in Poland 49 00:03:42,581 --> 99:59:59,999 because you had like less trains running