[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:13.99,0:00:20.39,Default,,0000,0000,0000,,Give a warm welcome to Redford (@redford@infosec.exchange)
Dialogue: 0,0:00:29.59,0:00:38.67,Default,,0000,0000,0000,,Q3K (@Q3K@social.hackerspace.pl)
Dialogue: 0,0:00:38.85,0:00:45.45,Default,,0000,0000,0000,,and Mr. Trick (@mrtick@infosec.exchange)
Dialogue: 0,0:00:47.55,0:00:50.59,Default,,0000,0000,0000,,and it's an honour to announce the talk
Dialogue: 0,0:00:50.88,0:00:53.66,Default,,0000,0000,0000,,"Breaking DRM in Polish trains"
Dialogue: 0,0:00:54.56,0:00:59.88,Default,,0000,0000,0000,,Reverse engineering a train \Nto analyze a suspicious malfunction
Dialogue: 0,0:01:00.45,0:01:09.27,Default,,0000,0000,0000,,(Applause)
Dialogue: 0,0:01:09.59,0:01:16.19,Default,,0000,0000,0000,,Hi, I'm Redford, this is Q3K and\NMrTick (not Trick)
Dialogue: 0,0:01:16.66,0:01:19.28,Default,,0000,0000,0000,,and we'll talk today about trains.
Dialogue: 0,0:01:19.29,0:01:21.11,Default,,0000,0000,0000,,We'll do a quick intro, \Ntell the story and
Dialogue: 0,0:01:21.11,0:01:23.15,Default,,0000,0000,0000,,then go into technical details.
Dialogue: 0,0:01:23.85,0:01:30.36,Default,,0000,0000,0000,,So, we sometimes play CTF's together \Nwith Dragon Sector and Poland Can into space
Dialogue: 0,0:01:31.07,0:01:33.30,Default,,0000,0000,0000,,I work for invisible things lab
Dialogue: 0,0:01:33.69,0:01:36.05,Default,,0000,0000,0000,,I mostly do low level security and reverse engineering
Dialogue: 0,0:01:36.65,0:01:40.81,Default,,0000,0000,0000,,And [the others] will introduce themselves in a few slides
Dialogue: 0,0:01:41.40,0:01:43.66,Default,,0000,0000,0000,,Let's start with the story
Dialogue: 0,0:01:44.31,0:01:47.28,Default,,0000,0000,0000,,As you already know, the story is about trains
Dialogue: 0,0:01:48.08,0:01:52.75,Default,,0000,0000,0000,,and the story actually starts a long time ago, in 2016
Dialogue: 0,0:01:53.47,0:01:58.20,Default,,0000,0000,0000,,when Koleje Dolnoslaskie , a local polish train operator
Dialogue: 0,0:01:58.82,0:02:04.03,Default,,0000,0000,0000,,bought eleven Impulse trains \N(of which one of them is on the photo)
Dialogue: 0,0:02:05.59,0:02:07.18,Default,,0000,0000,0000,,Then after some time,
Dialogue: 0,0:02:07.65,0:02:12.12,Default,,0000,0000,0000,,the train started reaching one million kilometer on the odometers
Dialogue: 0,0:02:12.62,0:02:19.78,Default,,0000,0000,0000,,and by this amount, you must do a big maintaince
Dialogue: 0,0:02:20.16,0:02:24.67,Default,,0000,0000,0000,,and because the manufacturers warranty already expired
Dialogue: 0,0:02:25.08,0:02:27.96,Default,,0000,0000,0000,,they started a tender
Dialogue: 0,0:02:27.96,0:02:30.90,Default,,0000,0000,0000,,so to select the best offer for servicing
Dialogue: 0,0:02:31.82,0:02:33.82,Default,,0000,0000,0000,,and the offer was won by SPS
Dialogue: 0,0:02:34.21,0:02:36.85,Default,,0000,0000,0000,,it's an independent train workshop in Poland
Dialogue: 0,0:02:37.09,0:02:41.22,Default,,0000,0000,0000,,And in the first quarter of 2022
Dialogue: 0,0:02:41.44,0:02:43.97,Default,,0000,0000,0000,,the first train reached the workshop
Dialogue: 0,0:02:44.24,0:02:50.80,Default,,0000,0000,0000,,So, let's see the public timeline
Dialogue: 0,0:02:51.03,0:02:57.10,Default,,0000,0000,0000,,The servicing started with train #24
Dialogue: 0,0:02:57.29,0:03:03.18,Default,,0000,0000,0000,,Their workshop took apart the whole train
Dialogue: 0,0:03:03.44,0:03:05.100,Default,,0000,0000,0000,,sent the parts to the manufacturers
Dialogue: 0,0:03:06.38,0:03:08.45,Default,,0000,0000,0000,,and then assembled the train back
Dialogue: 0,0:03:08.62,0:03:10.55,Default,,0000,0000,0000,,But the problem was that
Dialogue: 0,0:03:10.71,0:03:13.61,Default,,0000,0000,0000,,the train didn't start afterwards.
Dialogue: 0,0:03:13.61,0:03:16.68,Default,,0000,0000,0000,,And, then, they took another train for servicing,
Dialogue: 0,0:03:17.11,0:03:19.11,Default,,0000,0000,0000,,and it was the same:
Dialogue: 0,0:03:19.11,0:03:21.02,Default,,0000,0000,0000,,the trains didn't want to start
Dialogue: 0,0:03:21.02,0:03:22.69,Default,,0000,0000,0000,,after servicing.
Dialogue: 0,0:03:22.69,0:03:25.50,Default,,0000,0000,0000,,And, what's even more interesting
Dialogue: 0,0:03:25.50,0:03:27.10,Default,,0000,0000,0000,,is that in the meantime
Dialogue: 0,0:03:27.10,0:03:28.68,Default,,0000,0000,0000,,another workshop
Dialogue: 0,0:03:28.68,0:03:31.98,Default,,0000,0000,0000,,started servicing trains for different train operator
Dialogue: 0,0:03:31.98,0:03:35.31,Default,,0000,0000,0000,,and they run into exact the same problem
Dialogue: 0,0:03:35.31,0:03:37.95,Default,,0000,0000,0000,,So, it's getting a bit suspicious
Dialogue: 0,0:03:37.95,0:03:42.38,Default,,0000,0000,0000,,and the story got noticed by media in Poland
Dialogue: 0,0:03:42.58,0:03:46.31,Default,,0000,0000,0000,,because you had like less trains running
Dialogue: 0,0:03:46.43,0:03:50.56,Default,,0000,0000,0000,,So, the manufacturer issued a public press release
Dialogue: 0,0:03:50.56,0:03:52.44,Default,,0000,0000,0000,,and they said that
Dialogue: 0,0:03:52.44,0:03:55.19,Default,,0000,0000,0000,,among many other accusations
Dialogue: 0,0:03:55.19,0:03:59.54,Default,,0000,0000,0000,,they said that "someone interfered with the security system"
Dialogue: 0,0:03:59.54,0:04:01.07,Default,,0000,0000,0000,,whatever that is
Dialogue: 0,0:04:01.59,0:04:05.68,Default,,0000,0000,0000,,And, something happened in between
Dialogue: 0,0:04:05.88,0:04:10.13,Default,,0000,0000,0000,,And the workshop (SPS) \Nstarted returning the trains
Dialogue: 0,0:04:10.13,0:04:11.77,Default,,0000,0000,0000,,which worked.
Dialogue: 0,0:04:11.77,0:04:13.65,Default,,0000,0000,0000,,So, what happened?
Dialogue: 0,0:04:13.70,0:04:15.30,Default,,0000,0000,0000,,And what happened in the meantime?
Dialogue: 0,0:04:15.30,0:04:19.44,Default,,0000,0000,0000,,After the workshop got into trouble
Dialogue: 0,0:04:19.65,0:04:25.41,Default,,0000,0000,0000,,the issues didn't look like normal issues
Dialogue: 0,0:04:25.56,0:04:27.84,Default,,0000,0000,0000,,because the competitor was saying\Nthat everything is fine
Dialogue: 0,0:04:28.05,0:04:31.82,Default,,0000,0000,0000,,and they had some pointers
Dialogue: 0,0:04:31.82,0:04:33.71,Default,,0000,0000,0000,,into the direction of
Dialogue: 0,0:04:33.71,0:04:35.37,Default,,0000,0000,0000,,the manufacturers involvement
Dialogue: 0,0:04:35.37,0:04:38.46,Default,,0000,0000,0000,,but they didn't have any idea what to do.
Dialogue: 0,0:04:38.46,0:04:41.85,Default,,0000,0000,0000,,So they googled "Polish Hackers"
Dialogue: 0,0:04:41.85,0:04:43.35,Default,,0000,0000,0000,,and found us
Dialogue: 0,0:04:43.40,0:04:52.03,Default,,0000,0000,0000,,(Laughter+Applause)
Dialogue: 0,0:04:52.36,0:04:55.32,Default,,0000,0000,0000,,So, we got in contact
Dialogue: 0,0:04:55.32,0:04:58.34,Default,,0000,0000,0000,,we got the trains,\Nbut about that later
Dialogue: 0,0:04:58.49,0:05:02.66,Default,,0000,0000,0000,,In august, we managed to unlock the first train
Dialogue: 0,0:05:02.66,0:05:06.27,Default,,0000,0000,0000,,and a few months later
Dialogue: 0,0:05:06.32,0:05:10.74,Default,,0000,0000,0000,,we gathered enough evidence to \Nnotify authorities about
Dialogue: 0,0:05:10.87,0:05:13.49,Default,,0000,0000,0000,,and that is what we will talk about today.
Dialogue: 0,0:05:14.81,0:05:17.47,Default,,0000,0000,0000,,(Laughter)
Dialogue: 0,0:05:17.47,0:05:19.34,Default,,0000,0000,0000,,Allright, I think it is my turn
Dialogue: 0,0:05:19.34,0:05:21.37,Default,,0000,0000,0000,,So, hi, I'm Mister Tick
Dialogue: 0,0:05:21.57,0:05:23.84,Default,,0000,0000,0000,,Known in Poland as &lt;????&gt;
Dialogue: 0,0:05:23.84,0:05:26.05,Default,,0000,0000,0000,,In Germany as &lt;????&gt;
Dialogue: 0,0:05:26.10,0:05:28.99,Default,,0000,0000,0000,,Ich bin ein grosser Bahnfan\N(I'm a big railway fanatic)
Dialogue: 0,0:05:29.05,0:05:32.31,Default,,0000,0000,0000,,So, Redford, briefly introduce you
Dialogue: 0,0:05:32.53,0:05:38.71,Default,,0000,0000,0000,,(Applause)
Dialogue: 0,0:05:39.27,0:05:43.61,Default,,0000,0000,0000,,I want to walk you through some initial terms here
Dialogue: 0,0:05:43.61,0:05:44.86,Default,,0000,0000,0000,,So, before I tell you how to
Dialogue: 0,0:05:44.86,0:05:45.97,Default,,0000,0000,0000,,unlock a train
Dialogue: 0,0:05:45.97,0:05:48.63,Default,,0000,0000,0000,,let's define what a "locked train" is.
Dialogue: 0,0:05:48.63,0:05:50.45,Default,,0000,0000,0000,,So, we have basically a train
Dialogue: 0,0:05:50.53,0:05:52.11,Default,,0000,0000,0000,,you enter a cabin
Dialogue: 0,0:05:52.46,0:05:54.41,Default,,0000,0000,0000,,All the system reports says that the train is\Nready to roll
Dialogue: 0,0:05:54.56,0:05:57.93,Default,,0000,0000,0000,,There is this device combined throttle and brake lever
Dialogue: 0,0:05:58.28,0:05:59.77,Default,,0000,0000,0000,,So you push it forward
Dialogue: 0,0:05:59.77,0:06:01.56,Default,,0000,0000,0000,,the train loses all the brakes
Dialogue: 0,0:06:01.56,0:06:03.15,Default,,0000,0000,0000,,and then it should accelerate
Dialogue: 0,0:06:03.15,0:06:04.58,Default,,0000,0000,0000,,but it doesn't.
Dialogue: 0,0:06:08.32,0:06:09.98,Default,,0000,0000,0000,,That's the brakes
Dialogue: 0,0:06:12.46,0:06:14.32,Default,,0000,0000,0000,,Nothing happens
Dialogue: 0,0:06:14.88,0:06:16.66,Default,,0000,0000,0000,,You can see the "zero" on the screen
Dialogue: 0,0:06:20.57,0:06:23.10,Default,,0000,0000,0000,,So, we had a locked train
Dialogue: 0,0:06:23.56,0:06:26.97,Default,,0000,0000,0000,,the workshop bought additional two CPUs\Nof the
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Jup, that's one of them
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and got access to all service documents