-
Give a warm welcome to Redford (@redford@infosec.exchange)
-
Q3K (@Q3K@social.hackerspace.pl)
-
and Mr. Trick (@mrtick@infosec.exchange)
-
and it's an honour to announce the talk
-
"Breaking DRM in Polish trains"
-
Reverse engineering a train
to analyze a suspicious malfunction
-
(Applause)
-
Hi, I'm Redford, this is Q3K and
MrTick (not Trick)
-
and we'll talk today about trains.
-
We'll do a quick intro,
tell the story and
-
then go into technical details.
-
So, we sometimes play CTF's together
with Dragon Sector and Poland Can into space
-
I work for invisible things lab
-
I mostly do low level security and reverse engineering
-
And [the others] will introduce themselves in a few slides
-
Let's start with the story
-
As you already know, the story is about trains
-
and the story actually starts a long time ago, in 2016
-
when Koleje Dolnoslaskie , a local polish train operator
-
bought eleven Impulse trains
(of which one of them is on the photo)
-
Then after some time,
-
the train started reaching one million kilometer on the odometers
-
and by this amount, you must do a big maintaince
-
and because the manufacturers warranty already expired
-
they started a tender
-
so to select the best offer for servicing
-
and the offer was won by SPS
-
it's an independent train workshop in Poland
-
And in the first quarter of 2022
-
the first train reached the workshop
-
So, let's see the public timeline
-
The servicing started with train #24
-
Their workshop took apart the whole train
-
sent the parts to the manufacturers
-
and then assembled the train back
-
But the problem was that
-
the train didn't start afterwards.
-
And, then, they took another train for servicing,
-
and it was the same:
-
the trains didn't want to start
-
after servicing.
-
And, what's even more interesting
-
is that in the meantime
-
another workshop
-
started servicing trains for different train operator
-
and they run into exact the same problem
-
So, it's getting a bit suspicious
-
and the story got noticed by media in Poland
-
because you had like less trains running
-
So, the manufacturer issued a public press release
-
and they said that
-
among many other accusations
-
they said that "someone interfered with the security system"
-
whatever that is
-
And, something happened in between
-
And the workshop (SPS)
started returning the trains
-
which worked.
-
So, what happened?
-
And what happened in the meantime?
-
After the workshop got into trouble
-
the issues didn't look like normal issues
-
because the competitor was saying
that everything is fine
-
and they had some pointers
-
into the direction of
-
the manufacturers involvement
-
but they didn't have any idea what to do.
-
So they googled "Polish Hackers"
-
and found us
-
(Laughter+Applause)
-
So, we got in contact
-
we got the trains,
but about that later
-
In august, we managed to unlock the first train
-
and a few months later
-
we gathered enough evidence to
notify authorities about
-
and that is what we will talk about today.
-
(Laughter)
-
Allright, I think it is my turn
-
So, hi, I'm Mister Tick
-
Known in Poland as <????>
-
In Germany as <????>
-
Ich bin ein grosser Bahnfan
(I'm a big railway fanatic)
-
So, Redford, briefly introduce you
-
(Applause)
-
I want to walk you through some initial terms here
-
So, before I tell you how to
-
unlock a train
-
let's define what a "locked train" is.
-
So, we have basically a train
-
you enter a cabin
-
All the system reports says that the train is
ready to roll
-
There is this device combined throttle and brake lever
-
So you push it forward
-
the train loses all the brakes
-
and then it should accelerate
-
but it doesn't.
-
That's the brakes
-
Nothing happens
-
You can see the "zero" on the screen
-
So, we had a locked train
-
the workshop bought additional two CPUs
of the
-
Not Synced
Jup, that's one of them
-
Not Synced
and got access to all service documents
