WEBVTT 00:00:13.993 --> 00:00:20.393 Give a warm welcome to Redford (@redford@infosec.exchange) 00:00:29.586 --> 00:00:38.666 Q3K (@Q3K@social.hackerspace.pl) 00:00:38.854 --> 00:00:45.454 and Mr. Trick (@mrtick@infosec.exchange) 00:00:47.546 --> 00:00:50.586 and it's an honour to announce the talk 00:00:50.883 --> 00:00:53.663 "Breaking DRM in Polish trains" 00:00:54.555 --> 00:00:59.885 Reverse engineering a train to analyze a suspicious malfunction 00:01:00.449 --> 00:01:09.269 (Applause) 00:01:09.587 --> 00:01:16.187 Hi, I'm Redford, this is Q3K and MrTick (not Trick) 00:01:16.663 --> 00:01:19.283 and we'll talk today about trains. 00:01:19.288 --> 00:01:21.108 We'll do a quick intro, tell the story and 00:01:21.108 --> 00:01:23.153 then go into technical details. 00:01:23.851 --> 00:01:30.361 So, we sometimes play CTF's together with Dragon Sector and Poland Can into space 00:01:31.070 --> 00:01:33.302 I work for invisible things lab 00:01:33.686 --> 00:01:36.051 I mostly do low level security and reverse engineering 00:01:36.649 --> 00:01:40.813 And [the others] will introduce themselves in a few slides 00:01:41.399 --> 00:01:43.662 Let's start with the story 00:01:44.306 --> 00:01:47.283 As you already know, the story is about trains 00:01:48.085 --> 00:01:52.747 and the story actually starts a long time ago, in 2016 00:01:53.472 --> 00:01:58.199 when Koleje Dolnoslaskie , a local polish train operator 00:01:58.820 --> 00:02:04.028 bought eleven Impulse trains (of which one of them is on the photo) 00:02:05.589 --> 00:02:07.176 Then after some time, 00:02:07.653 --> 00:02:12.123 the train started reaching one million kilometer on the odometers 00:02:12.622 --> 00:02:19.776 and by this amount, you must do a big maintaince 00:02:20.163 --> 00:02:24.667 and because the manufacturers warranty already expired 00:02:25.084 --> 00:02:27.962 they started a tender 00:02:27.962 --> 00:02:30.901 so to select the best offer for servicing 00:02:31.821 --> 00:02:33.819 and the offer was won by SPS 00:02:34.208 --> 00:02:36.853 it's an independent train workshop in Poland 00:02:37.087 --> 00:02:41.224 And in the first quarter of 2022 00:02:41.441 --> 00:02:43.972 the first train reached the workshop 00:02:44.239 --> 00:02:50.797 So, let's see the public timeline 00:02:51.032 --> 00:02:57.098 The servicing started with train #24 00:02:57.287 --> 00:03:03.184 Their workshop took apart the whole train 00:03:03.436 --> 00:03:05.997 sent the parts to the manufacturers 00:03:06.385 --> 00:03:08.450 and then assembled the train back 00:03:08.617 --> 00:03:10.547 But the problem was that 00:03:10.714 --> 00:03:13.611 the train didn't start afterwards. 00:03:13.611 --> 00:03:16.676 And, then, they took another train for servicing, 00:03:17.114 --> 00:03:19.112 and it was the same: 00:03:19.112 --> 00:03:21.023 the trains didn't want to start 00:03:21.023 --> 00:03:22.689 after servicing. 00:03:22.689 --> 00:03:25.496 And, what's even more interesting 00:03:25.496 --> 00:03:27.097 is that in the meantime 00:03:27.097 --> 00:03:28.679 another workshop 00:03:28.679 --> 00:03:31.985 started servicing trains for different train operator 00:03:31.985 --> 00:03:35.311 and they run into exact the same problem 00:03:35.311 --> 00:03:37.946 So, it's getting a bit suspicious 00:03:37.946 --> 00:03:42.380 and the story got noticed by media in Poland 00:03:42.581 --> 00:03:46.312 because you had like less trains running 00:03:46.432 --> 00:03:50.562 So, the manufacturer issued a public press release 00:03:50.562 --> 00:03:52.436 and they said that 00:03:52.436 --> 00:03:55.188 among many other accusations 00:03:55.188 --> 00:03:59.544 they said that "someone interfered with the security system" 00:03:59.544 --> 00:04:01.066 whatever that is 00:04:01.588 --> 00:04:05.685 And, something happened in between 00:04:05.885 --> 00:04:10.131 And the workshop (SPS) started returning the trains 00:04:10.131 --> 00:04:11.773 which worked. 00:04:11.773 --> 00:04:13.646 So, what happened? 00:04:13.705 --> 00:04:15.302 And what happened in the meantime? 00:04:15.302 --> 00:04:19.435 After the workshop got into trouble 00:04:19.652 --> 00:04:25.410 the issues didn't look like normal issues 00:04:25.560 --> 00:04:27.843 because the competitor was saying that everything is fine 00:04:28.047 --> 00:04:31.815 and they had some pointers 00:04:31.815 --> 00:04:33.714 into the direction of 00:04:33.714 --> 00:04:35.373 the manufacturers involvement 00:04:35.373 --> 00:04:38.465 but they didn't have any idea what to do. 00:04:38.465 --> 00:04:41.854 So they googled "Polish Hackers" 00:04:41.854 --> 00:04:43.351 and found us 00:04:43.395 --> 00:04:52.033 (Laughter+Applause) 00:04:52.362 --> 00:04:55.320 So, we got in contact 00:04:55.320 --> 00:04:58.338 we got the trains, but about that later 00:04:58.488 --> 00:05:02.662 In august, we managed to unlock the first train 00:05:02.662 --> 00:05:06.272 and a few months later 00:05:06.319 --> 00:05:10.744 we gathered enough evidence to notify authorities about 00:05:10.872 --> 00:05:13.489 and that is what we will talk about today. 00:05:14.814 --> 00:05:17.469 (Laughter) 00:05:17.469 --> 00:05:19.335 Allright, I think it is my turn 00:05:19.335 --> 00:05:21.374 So, hi, I'm Mister Tick 00:05:21.573 --> 00:05:23.843 Known in Poland as <????> 00:05:23.843 --> 00:05:26.048 In Germany as <????> 00:05:26.102 --> 00:05:28.992 Ich bin ein grosser Bahnfan (I'm a big railway fanatic) 00:05:29.046 --> 00:05:32.306 So, Redford, briefly introduce you 00:05:32.534 --> 00:05:38.714 (Applause) 00:05:39.266 --> 00:05:43.608 I want to walk you through some initial terms here 00:05:43.608 --> 00:05:44.858 So, before I tell you how to 00:05:44.858 --> 00:05:45.970 unlock a train 00:05:45.970 --> 00:05:48.631 let's define what a "locked train" is. 00:05:48.631 --> 00:05:50.446 So, we have basically a train 00:05:50.530 --> 00:05:52.112 you enter a cabin 00:05:52.463 --> 00:05:54.411 All the system reports says that the train is ready to roll 00:05:54.561 --> 00:05:57.926 There is this device combined throttle and brake lever 00:05:58.282 --> 00:05:59.766 So you push it forward 00:05:59.766 --> 00:06:01.561 the train loses all the brakes 00:06:01.561 --> 00:06:03.150 and then it should accelerate 00:06:03.150 --> 00:06:04.583 but it doesn't. 00:06:08.323 --> 00:06:09.976 That's the brakes 00:06:12.463 --> 00:06:14.325 Nothing happens 00:06:14.876 --> 00:06:16.659 You can see the "zero" on the screen 00:06:20.566 --> 00:06:23.105 So, we had a locked train 00:06:23.565 --> 00:06:26.971 the workshop bought additional two CPUs of the 99:59:59.999 --> 99:59:59.999 Jup, that's one of them 99:59:59.999 --> 99:59:59.999 and got access to all service documents