WEBVTT 00:00:13.993 --> 00:00:20.393 Give a warm welcome to Redford (@redford@infosec.exchange) 00:00:29.586 --> 00:00:38.666 Q3K (@Q3K@social.hackerspace.pl) 00:00:38.854 --> 00:00:45.454 and Mr. Trick (@mrtick@infosec.exchange) 00:00:47.546 --> 00:00:50.586 and it's an honour to announce the talk 00:00:50.883 --> 00:00:53.663 "Breaking DRM in Polish trains" 00:00:54.555 --> 00:00:59.885 Reverse engineering a train to analyze a suspicious malfunction 00:01:00.449 --> 00:01:09.269 (Applause) 00:01:09.587 --> 00:01:16.187 Hi, I'm Redford, this is Q3K and MrTick (not Trick) 00:01:16.663 --> 00:01:19.283 and we'll talk today about trains. 00:01:19.288 --> 00:01:21.108 We'll do a quick intro, tell the story and 00:01:21.108 --> 00:01:23.153 then go into technical details. 00:01:23.851 --> 00:01:30.361 So, we sometimes play CTF's together with Dragon Sector and Poland Can into space 00:01:31.070 --> 00:01:33.302 I work for invisible things lab 00:01:33.686 --> 00:01:36.051 I mostly do low level security and reverse engineering 00:01:36.649 --> 00:01:40.813 And [the others] will introduce themselves in a few slides 00:01:41.399 --> 00:01:43.662 Let's start with the story 00:01:44.306 --> 00:01:47.283 As you already know, the story is about trains 00:01:48.085 --> 00:01:52.747 and the story actually starts a long time ago, in 2016 00:01:53.472 --> 00:01:58.199 when Koleje Dolnoslaskie , a local polish train operator 00:01:58.820 --> 00:02:04.028 bought eleven Impulse trains (of which one of them is on the photo) 00:02:05.589 --> 00:02:07.176 Then after some time, 00:02:07.653 --> 00:02:12.123 the train started reaching one million kilometer on the odometers 00:02:12.622 --> 00:02:19.776 and by this amount, you must do a big maintaince 00:02:20.163 --> 00:02:24.667 and because the manufacturers warranty already expired 00:02:25.084 --> 00:02:27.962 they started a tender 00:02:27.962 --> 00:02:30.901 so to select the best offer for servicing 00:02:31.821 --> 00:02:33.819 and the offer was won by SPS 00:02:34.208 --> 00:02:36.853 it's an independent train workshop in Poland 00:02:37.087 --> 00:02:41.224 And in the first quarter of 2022 00:02:41.441 --> 00:02:43.972 the first train reached the workshop 00:02:44.239 --> 00:02:50.797 So, let's see the public timeline 00:02:51.032 --> 00:02:57.098 The servicing started with train #24 00:02:57.287 --> 00:03:03.184 Their workshop took apart the whole train 00:03:03.436 --> 00:03:05.997 sent the parts to the manufacturers 00:03:06.385 --> 00:03:08.450 and then assembled the train back 00:03:08.617 --> 00:03:10.547 But the problem was that 00:03:10.714 --> 00:03:13.611 the train didn't start afterwards. 00:03:13.611 --> 00:03:16.676 And, then, they took another train for servicing, 00:03:17.114 --> 00:03:19.112 and it was the same: 00:03:19.112 --> 00:03:21.023 the trains didn't want to start 00:03:21.023 --> 00:03:22.689 after servicing. 00:03:22.689 --> 00:03:25.496 And, what's even more interesting 00:03:25.496 --> 00:03:27.097 is that in the meantime 00:03:27.097 --> 00:03:28.679 another workshop 00:03:28.679 --> 00:03:32.064 started servicing trains for different train operator 00:03:32.332 --> 00:03:35.936 and they run into exact the same problem 00:03:36.173 --> 00:03:38.236 So, it's getting a bit suspicious 00:03:38.486 --> 00:03:42.380 and the story got noticed by media in Poland 00:03:42.581 --> 99:59:59.999 because you had like less trains running