0:00:13.993,0:00:20.393 Give a warm welcome to Redford (@redford@infosec.exchange) 0:00:29.586,0:00:38.666 Q3K (@Q3K@social.hackerspace.pl) 0:00:38.854,0:00:45.454 and Mr. Trick (@mrtick@infosec.exchange) 0:00:47.546,0:00:50.586 and it's an honour to announce the talk 0:00:50.883,0:00:53.663 "Breaking DRM in Polish trains" 0:00:54.555,0:00:59.885 Reverse engineering a train [br]to analyze a suspicious malfunction 0:01:00.449,0:01:09.269 (Applause) 0:01:09.587,0:01:16.187 Hi, I'm Redford, this is Q3K and[br]MrTick (not Trick) 0:01:16.663,0:01:19.283 and we'll talk today about trains. 0:01:19.288,0:01:21.108 We'll do a quick intro, [br]tell the story and 0:01:21.108,0:01:23.153 then go into technical details. 0:01:23.851,0:01:30.361 So, we sometimes play CTF's together [br]with Dragon Sector and Poland Can into space 0:01:31.070,0:01:33.302 I work for invisible things lab 0:01:33.686,0:01:36.051 I mostly do low level security and reverse engineering 0:01:36.649,0:01:40.813 And [the others] will introduce themselves in a few slides 0:01:41.399,0:01:43.662 Let's start with the story 0:01:44.306,0:01:47.283 As you already know, the story is about trains 0:01:48.085,0:01:52.747 and the story actually starts a long time ago, in 2016 0:01:53.472,0:01:58.199 when Koleje Dolnoslaskie , a local polish train operator 0:01:58.820,0:02:04.028 bought eleven Impulse trains [br](of which one of them is on the photo) 0:02:05.589,0:02:07.176 Then after some time, 0:02:07.653,0:02:12.123 the train started reaching one million kilometer on the odometers 0:02:12.622,0:02:19.776 and by this amount, you must do a big maintaince 0:02:20.163,0:02:24.667 and because the manufacturers warranty already expired 0:02:25.084,0:02:27.962 they started a tender 0:02:27.962,0:02:30.901 so to select the best offer for servicing 0:02:31.821,0:02:33.819 and the offer was won by SPS 0:02:34.208,0:02:36.853 it's an independent train workshop in Poland 0:02:37.087,0:02:41.224 And in the first quarter of 2022 0:02:41.441,0:02:43.972 the first train reached the workshop 0:02:44.239,0:02:50.797 So, let's see the public timeline 0:02:51.032,0:02:57.098 The servicing started with train #24 0:02:57.287,0:03:03.184 Their workshop took apart the whole train 0:03:03.436,0:03:05.997 sent the parts to the manufacturers 0:03:06.385,0:03:08.450 and then assembled the train back 0:03:08.617,0:03:10.547 But the problem was that 0:03:10.714,0:03:13.611 the train didn't start afterwards. 0:03:13.611,0:03:16.676 And, then, they took another train for servicing, 0:03:17.114,0:03:19.112 and it was the same: 0:03:19.112,0:03:21.023 the trains didn't want to start 0:03:21.023,0:03:22.689 after servicing. 0:03:22.689,0:03:25.496 And, what's even more interesting 0:03:25.496,0:03:27.097 is that in the meantime 0:03:27.097,0:03:28.679 another workshop 0:03:28.679,0:03:31.985 started servicing trains for different train operator 0:03:31.985,0:03:35.311 and they run into exact the same problem 0:03:35.311,0:03:37.946 So, it's getting a bit suspicious 0:03:37.946,0:03:42.380 and the story got noticed by media in Poland 0:03:42.581,0:03:46.312 because you had like less trains running 0:03:46.432,0:03:50.562 So, the manufacturer issued a public press release 0:03:50.562,0:03:52.436 and they said that 0:03:52.436,0:03:55.188 among many other accusations 0:03:55.188,0:03:59.544 they said that "someone interfered with the security system" 0:03:59.544,0:04:01.066 whatever that is 0:04:01.588,0:04:05.685 And, something happened in between 0:04:05.885,0:04:10.131 And the workshop (SPS) [br]started returning the trains 0:04:10.131,0:04:11.773 which worked. 0:04:11.773,0:04:13.646 So, what happened? 0:04:13.705,0:04:15.302 And what happened in the meantime? 0:04:15.302,0:04:19.435 After the workshop got into trouble 0:04:19.652,0:04:25.410 the issues didn't look like normal issues 0:04:25.560,0:04:27.843 because the competitor was saying[br]that everything is fine 0:04:28.047,0:04:31.815 and they had some pointers 0:04:31.815,0:04:33.714 into the direction of 0:04:33.714,0:04:35.373 the manufacturers involvement 0:04:35.373,0:04:38.465 but they didn't have any idea what to do. 0:04:38.465,0:04:41.854 So they googled "Polish Hackers" 0:04:41.854,0:04:43.351 and found us 0:04:43.395,0:04:52.033 (Laughter+Applause) 0:04:52.362,0:04:55.320 So, we got in contact 0:04:55.320,0:04:58.338 we got the trains,[br]but about that later 0:04:58.488,0:05:02.662 In august, we managed to unlock the first train 0:05:02.662,0:05:06.272 and a few months later 0:05:06.319,0:05:10.744 we gathered enough evidence to [br]notify authorities about 0:05:10.872,0:05:13.489 and that is what we will talk about today. 0:05:14.814,0:05:17.469 (Laughter) 0:05:17.469,0:05:19.335 Allright, I think it is my turn 0:05:19.335,0:05:21.374 So, hi, I'm Mister Tick 0:05:21.573,0:05:23.843 Known in Poland as <????> 0:05:23.843,0:05:26.048 In Germany as <????> 0:05:26.102,0:05:28.992 Ich bin ein grosser Bahnfan[br](I'm a big railway fanatic) 0:05:29.046,0:05:32.306 So, Redford, briefly introduce you 0:05:32.534,0:05:38.714 (Applause) 0:05:39.266,0:05:43.608 I want to walk you through some initial terms here 0:05:43.608,0:05:44.858 So, before I tell you how to 0:05:44.858,0:05:45.970 unlock a train 0:05:45.970,0:05:48.631 let's define what a "locked train" is. 0:05:48.631,0:05:50.446 So, we have basically a train 0:05:50.530,0:05:52.112 you enter a cabin 0:05:52.463,0:05:54.411 All the system reports says that the train is[br]ready to roll 0:05:54.561,0:05:57.926 There is this device combined throttle and brake lever 0:05:58.282,0:05:59.766 So you push it forward 0:05:59.766,0:06:01.561 the train loses all the brakes 0:06:01.561,0:06:03.150 and then it should accelerate 0:06:03.150,0:06:04.583 but it doesn't. 0:06:08.323,0:06:09.976 That's the brakes 0:06:12.463,0:06:14.325 Nothing happens 0:06:14.876,0:06:16.659 You can see the "zero" on the screen 0:06:20.566,0:06:23.105 So, we had a locked train 0:06:23.565,0:06:26.971 the workshop bought additional two CPUs[br]of the 9:59:59.000,9:59:59.000 Jup, that's one of them 9:59:59.000,9:59:59.000 and got access to all service documents