1
00:00:13,993 --> 00:00:20,393
Give a warm welcome to Redford (@redford@infosec.exchange)

2
00:00:29,586 --> 00:00:38,666
Q3K (@Q3K@social.hackerspace.pl)

3
00:00:38,854 --> 00:00:45,454
and Mr. Trick (@mrtick@infosec.exchange)

4
00:00:47,546 --> 00:00:50,586
and it's an honour to announce the talk

5
00:00:50,883 --> 00:00:53,663
"Breaking DRM in Polish trains"

6
00:00:54,555 --> 00:00:59,885
Reverse engineering a train 
to analyze a suspicious malfunction

7
00:01:00,449 --> 00:01:09,269
(Applause)

8
00:01:09,587 --> 00:01:16,187
Hi, I'm Redford, this is Q3K and
MrTick (not Trick)

9
00:01:16,663 --> 00:01:19,283
and we'll talk today about trains.

10
00:01:19,288 --> 00:01:21,108
We'll do a quick intro, 
tell the story and

11
00:01:21,108 --> 00:01:23,153
then go into technical details.

12
00:01:23,851 --> 00:01:30,361
So, we sometimes play CTF's together 
with Dragon Sector and Poland Can into space

13
00:01:31,070 --> 00:01:33,302
I work for invisible things lab

14
00:01:33,686 --> 00:01:36,051
I mostly do low level security and reverse engineering

15
00:01:36,649 --> 00:01:40,813
And [the others] will introduce themselves in a few slides

16
00:01:41,399 --> 00:01:43,662
Let's start with the story

17
00:01:44,306 --> 00:01:47,283
As you already know, the story is about trains

18
00:01:48,085 --> 00:01:52,747
and the story actually starts a long time ago, in 2016

19
00:01:53,472 --> 00:01:58,199
when Koleje Dolnoslaskie , a local polish train operator

20
00:01:58,820 --> 00:02:04,028
bought eleven Impulse trains 
(of which one of them is on the photo)

21
00:02:05,589 --> 00:02:07,176
Then after some time,

22
00:02:07,653 --> 00:02:12,123
the train started reaching one million kilometer on the odometers

23
00:02:12,622 --> 00:02:19,776
and by this amount, you must do a big maintaince

24
00:02:20,163 --> 00:02:24,667
and because the manufacturers warranty already expired

25
00:02:25,084 --> 00:02:27,962
they started a tender

26
00:02:27,962 --> 00:02:30,901
so to select the best offer for servicing

27
00:02:31,821 --> 00:02:33,819
and the offer was won by SPS

28
00:02:34,208 --> 00:02:36,853
it's an independent train workshop in Poland

29
00:02:37,087 --> 00:02:41,224
And in the first quarter of 2022

30
00:02:41,441 --> 00:02:43,972
the first train reached the workshop

31
00:02:44,239 --> 00:02:50,797
So, let's see the public timeline

32
00:02:51,032 --> 00:02:57,098
The servicing started with train #24

33
00:02:57,287 --> 00:03:03,184
Their workshop took apart the whole train

34
00:03:03,436 --> 00:03:05,997
sent the parts to the manufacturers

35
00:03:06,385 --> 00:03:08,450
and then assembled the train back

36
00:03:08,617 --> 00:03:10,547
But the problem was that

37
00:03:10,714 --> 00:03:13,611
the train didn't start afterwards.

38
00:03:13,611 --> 00:03:16,676
And, then, they took another train for servicing,

39
00:03:17,114 --> 00:03:19,112
and it was the same:

40
00:03:19,112 --> 00:03:21,023
the trains didn't want to start

41
00:03:21,023 --> 00:03:22,689
after servicing.

42
00:03:22,689 --> 00:03:25,496
And, what's even more interesting

43
00:03:25,496 --> 00:03:27,097
is that in the meantime

44
00:03:27,097 --> 00:03:28,679
another workshop

45
00:03:28,679 --> 00:03:31,985
started servicing trains for different train operator

46
00:03:31,985 --> 00:03:35,311
and they run into exact the same problem

47
00:03:35,311 --> 00:03:37,946
So, it's getting a bit suspicious

48
00:03:37,946 --> 00:03:42,380
and the story got noticed by media in Poland

49
00:03:42,581 --> 00:03:46,312
because you had like less trains running

50
00:03:46,432 --> 00:03:50,562
So, the manufacturer issued a public press release

51
00:03:50,562 --> 00:03:52,436
and they said that

52
00:03:52,436 --> 00:03:55,188
among many other accusations

53
00:03:55,188 --> 00:03:59,544
they said that "someone interfered with the security system"

54
00:03:59,544 --> 00:04:01,066
whatever that is

55
00:04:01,588 --> 00:04:05,685
And, something happened in between

56
00:04:05,885 --> 00:04:10,131
And the workshop (SPS) 
started returning the trains

57
00:04:10,131 --> 00:04:11,773
which worked.

58
00:04:11,773 --> 00:04:13,646
So, what happened?

59
00:04:13,705 --> 00:04:15,302
And what happened in the meantime?

60
00:04:15,302 --> 00:04:19,435
After the workshop got into trouble

61
00:04:19,652 --> 00:04:25,410
the issues didn't look like normal issues

62
00:04:25,560 --> 00:04:27,843
because the competitor was saying
that everything is fine

63
00:04:28,047 --> 00:04:31,815
and they had some pointers

64
00:04:31,815 --> 00:04:33,714
into the direction of

65
00:04:33,714 --> 00:04:35,373
the manufacturers involvement

66
00:04:35,373 --> 00:04:38,465
but they didn't have any idea what to do.

67
00:04:38,465 --> 00:04:41,854
So they googled "Polish Hackers"

68
00:04:41,854 --> 00:04:43,351
and found us

69
00:04:43,395 --> 00:04:52,033
(Laughter+Applause)

70
00:04:52,362 --> 00:04:55,320
So, we got in contact

71
00:04:55,320 --> 00:04:58,338
we got the trains,
but about that later

72
00:04:58,488 --> 00:05:02,662
In august, we managed to unlock the first train

73
00:05:02,662 --> 00:05:06,272
and a few months later

74
00:05:06,319 --> 00:05:10,744
we gathered enough evidence to 
notify authorities about

75
00:05:10,872 --> 00:05:13,489
and that is what we will talk about today.

76
00:05:14,814 --> 00:05:17,469
(Laughter)

77
00:05:17,469 --> 00:05:19,335
Allright, I think it is my turn

78
00:05:19,335 --> 00:05:21,374
So, hi, I'm Mister Tick

79
00:05:21,573 --> 00:05:23,843
Known in Poland as <????>

80
00:05:23,843 --> 00:05:26,048
In Germany as <????>

81
00:05:26,102 --> 00:05:28,992
Ich bin ein grosser Bahnfan
(I'm a big railway fanatic)

82
00:05:29,046 --> 00:05:32,306
So, Redford, briefly introduce you

83
00:05:32,534 --> 00:05:38,714
(Applause)

84
00:05:39,266 --> 00:05:43,608
I want to walk you through some initial terms here

85
00:05:43,608 --> 00:05:44,858
So, before I tell you how to

86
00:05:44,858 --> 00:05:45,970
unlock a train

87
00:05:45,970 --> 00:05:48,631
let's define what a "locked train" is.

88
00:05:48,631 --> 00:05:50,446
So, we have basically a train

89
00:05:50,530 --> 00:05:52,112
you enter a cabin

90
00:05:52,463 --> 00:05:54,411
All the system reports says that the train is
ready to roll

91
00:05:54,561 --> 00:05:57,926
There is this device combined throttle and brake lever

92
00:05:58,282 --> 00:05:59,766
So you push it forward

93
00:05:59,766 --> 00:06:01,561
the train loses all the brakes

94
00:06:01,561 --> 00:06:03,150
and then it should accelerate

95
00:06:03,150 --> 00:06:04,583
but it doesn't.

96
00:06:08,323 --> 00:06:09,976
That's the brakes

97
00:06:12,463 --> 00:06:14,325
Nothing happens

98
00:06:14,876 --> 00:06:16,659
You can see the "zero" on the screen

99
00:06:20,566 --> 00:06:23,105
So, we had a locked train

100
00:06:23,565 --> 00:06:26,971
the workshop bought additional two CPUs
of the

101
99:59:59,999 --> 99:59:59,999
Jup, that's one of them

102
99:59:59,999 --> 99:59:59,999
and got access to all service documents