380
submitted 11 months ago* (last edited 11 months ago) by redd@discuss.tchncs.de to c/europe@feddit.de

A polish hacker found out why trains did stop working. The manufacterer implemented a hidden electronic switch, which automatically activated after trains were serviced by a different company.

all 50 comments
sorted by: hot top controversial new old
[-] BombOmOm@lemmy.world 198 points 11 months ago

the PLC code actually contained logic that would lock up the train with bogus error codes after some date

I hope they sue the manufacturer.

[-] maynarkh@feddit.nl 146 points 11 months ago

I hope messing with critical public infrastructure carries criminal not civil penalties, with people going to jail.

[-] Steve@startrek.website 24 points 11 months ago

Idk about Poland but in america a corporation is a person yet it cant be put in jail so only civil penalties are possible and the employees are mostly immune

[-] jmcs@discuss.tchncs.de 13 points 11 months ago

Corporations are people in the legal sense everywhere (i.e. they are subjects of the law with rights and duties). The novelty in the US is that the archaic constitution allowed the US Supreme Court to be creative in assigning rights that every other country assigns only to natural persons to legal persons. In the case of Poland, for example, the constitution explicitly mentions legal persons when rights are supposed to apply to corporations too.

[-] CJOtheReal@ani.social 6 points 11 months ago

You can't put a company in jail but definitely the asshole that gave the order to do that...

[-] GBU_28@lemm.ee 22 points 11 months ago

Manufacture should be charged with public engagement or similar.

An unexpected dead train on a track, emitting bogus codes that possibly confuse rail systems (thus resulting in other trains not being properly warned) could result in a lot of harm. Managers and executives found to be responsible for the team that implemented it should be hit hardest

[-] crispy_kilt@feddit.de 5 points 11 months ago

public engagement

Yeah, how could they communicate with the public! Also the endangerment is pretty bad too.

[-] GBU_28@lemm.ee 3 points 11 months ago
[-] Sabre363@sh.itjust.works 112 points 11 months ago

Didn't know John Deere made trains

[-] ArbiterXero@lemmy.world 83 points 11 months ago

Can we now finally say that drm sucks and any/all attempts to override it are reasonable because it’s broken by design?

[-] misk@sopuli.xyz 63 points 11 months ago

Poland finally famous for something new ❤️

[-] HerbalGamer@sh.itjust.works 25 points 11 months ago

Oh yeah, absolutely nothing to do with trains the last time.

[-] LemonDrop@lemmy.world 7 points 11 months ago

Well, I beg to differ

[-] Aussiemandeus@aussie.zone 55 points 11 months ago

Yeah manufacturers are getting out of hand with this kind of shit.

Machines are being made now to be unserviceable except with the manufacturer attending.

[-] bobs_monkey@lemm.ee 25 points 11 months ago

except with the manufacturer attending

And charging an exorbiant fee

[-] Aussiemandeus@aussie.zone 4 points 11 months ago

Yeah and pay their techs pretty average too. At least who i work for does.

But get to be at the forfront of technology

[-] HawlSera@lemm.ee 50 points 11 months ago

Sounds so legal that I'm sure its a plotpoint in a The Boys episode

[-] anarchy79@lemmy.world 11 points 11 months ago

This is Polska. Law is fluid here.

[-] tal@lemmy.today 35 points 11 months ago* (last edited 11 months ago)

The trains also had a GSM telemetry unit that was broadcasting lock conditions, and in some cases appeared to be able to lock the train remotely.

So, it sounds like this remote lock is speculation, so I'm not gonna say that this is actually the case here, and I don't know how trustworthy the source here is.

But, speaking in general: an additional problem with sticking back doors in products is that someone else may discover them and exploit them, and the uses to which they may put them may be considerably less-pleasant than whatever the purpose that the manufacturer had in sticking them in.

Just earlier this year, we had articles about this incident with Polish trains. That wasn't a back door in that it wasn't particularly hidden, but it was a way to do remote radio control of Polish trains, and sure enough, when someone who wanted to create trouble with it discovered it, it got used to cause problems for Polish train operators.

https://www.wired.com/story/poland-train-radio-stop-attack/

The Cheap Radio Hack That Disrupted Poland’s Railway System

The sabotage of more than 20 trains in Poland by apparent supporters of Russia was carried out with a simple “radio-stop” command anyone could broadcast with $30 in equipment.

[-] sanpo@sopuli.xyz 42 points 11 months ago* (last edited 11 months ago)

It wasn't a back door, it was a safety feature working as designed. IIRC it didn't have any modern security implemented, because it's very old.

Also, the link from the OP doesn't mention that, but the trains in this story had locations of competitors' repair centers coded in, and were apparently set to auto-lock if they detected sitting in one for more than 10 days...

[-] chaogomu@kbin.social 16 points 11 months ago

So, locking out repairs for anything they would have to order parts for.

I'm guessing that they're using some sort of custom size for their bolts and tolerances in the train. The competitors likely have the standard sizing for parts on hand, and any custom part would need to be ordered in. Likely from the same supplier.

Since they know their supplier's order return timing, they can set up the kill switch when they know that the train will be sitting in a yard awaiting parts.

Scummy as fuck.

[-] skillissuer@discuss.tchncs.de 23 points 11 months ago* (last edited 11 months ago)

it worked like this: public tenders for trains and its servicing are separate. at first, newag claimed that service documentation is their super secret IP and they can't disclose it. european railway authority however basically said that no, fuck you, you as a manufacturer have to disclose it. so they did, it's a 20k page thick book, and now other workshops (with all certs and so on) can compete in tender. while monopoly lasted, they could call whatever price they wanted and operators would pay anyway. smaller workshops just outcompeted them because they don't have dozen c-suite to pay

newag of course didn't like it and there comes the fuckery. what they did, among others, is they put logic that would prevent DC-AC converters from turning on if train spends 10d+ in one of hardcoded areas, these places being competing workshops. another mysterious thing was gsm modem that could (possibly) brick train remotely in the same way. later corporate would just claim that no one else can fix these trains, call competition unqualified, and grab severely overpriced servicing contracts. that is, until somebody actually looked inside. mechanically and electrically train was fully working, but it was just locked by software

i guess this will make some national and european regulators and agencies verry interested. here you have more technical details (article in polish) https://zaufanatrzeciastrona.pl/post/o-trzech-takich-co-zhakowali-prawdziwy-pociag-a-nawet-30-pociagow/ it will be also topic of a talk at 37C3

[-] AceQuorthon@lemmy.dbzer0.com 26 points 11 months ago

Goddamn that's malicious

[-] agrammatic@feddit.de 25 points 11 months ago
[-] someguy3@lemmy.ca 12 points 11 months ago

Newag S.A. [pronounced: nevag] is a Polish company, based in Nowy Sącz, specialising in the production, maintenance, and modernisation of railway rolling stock. The company's products include the 14WE, 19WE, 35WE types electric multiple units; it has also developed the Nevelo tram.[2]

[-] federalreverse@feddit.de 29 points 11 months ago* (last edited 11 months ago)

Somehow this is the worst bit -- a Polish company fucks the Polish state railway operator because of greed. If they'd done this in another country, there might have been some international repercussions etc. but they opted to burn their name in their own home country. This being found by random hackers is actually the best way for Newag for this affair to become public. This could have been so much worse.

[-] someguy3@lemmy.ca 6 points 11 months ago

Yup instead of the "I guess that third party repair really fucked up huh"

[-] sadreality@kbin.social 10 points 11 months ago* (last edited 11 months ago)

These guys are getting super [brazen]. Is this contract with the Polish state? or private?

[-] skillissuer@discuss.tchncs.de 3 points 11 months ago

every province has their own railway operator, ultimately it's all paid from state budget

[-] Fridgeratr@lemmy.world 9 points 11 months ago* (last edited 11 months ago)

BMW and Mercedes: "write that down!!"

[-] ebikefolder@feddit.de 7 points 11 months ago

I hope they develop a hidden switch to deactivate Newag.

[-] ElBarto@sh.itjust.works 3 points 11 months ago

Is that guy in the thumbnail trying to tell that train which way to go?

this post was submitted on 06 Dec 2023
380 points (99.5% liked)

Europe

8332 readers
1 users here now

News/Interesting Stories/Beautiful Pictures from Europe 🇪🇺

(Current banner: Thunder mountain, Germany, 🇩🇪 ) Feel free to post submissions for banner pictures

Rules

(This list is obviously incomplete, but it will get expanded when necessary)

  1. Be nice to each other (e.g. No direct insults against each other);
  2. No racism, antisemitism, dehumanisation of minorities or glorification of National Socialism allowed;
  3. No posts linking to mis-information funded by foreign states or billionaires.

Also check out !yurop@lemm.ee

founded 1 year ago
MODERATORS