CCC Hacking a train: a 37С3 talk Ethical hackers told 37C3 how they found a few eye-openers while breaking DRM to fix trains. Alanna Titterington January 24, 2024 Polish hackers from Dragon Sector told the 37th Chaos Communication Congress (37C3) late last year how they’d hacked into digital rights management (DRM) for trains, and, more importantly — why. Why Polish hackers broke into trains Around five years ago, Poland’s Koleje Dolnośląskie (KD) rail operator bought 11 Impuls 45WE trains from domestic manufacturer Newag. Fast-forward to recent times, and after five years of heavy use it was time for a service and some maintenance: a rather complex and expensive process that a train has to undergo after clocking up a million kilometers. To select a workshop to service the trains, KD arranged a tender. Newag was among the bidders, but they lost to Serwis Pojazdów Szynowych (SPS), which underbid them by a significant margin. However, once SPS was done with servicing the first of the trains, they found that it simply wouldn’t start up any more — despite seeming to be fine both mechanically and electrically. All kinds of diagnostic instruments revealed that the train had zero defects in it, and all the mechanics and electricians that worked on it agreed. No matter: the train simply would not start. Shortly after, several other trains serviced by SPS — plus another taken to a different shop — ended up in a similar condition. This is when SPS, after trying repeatedly to unravel the mystery, decided to bring in a (white-hat) hacker team. Inside the driver’s cabin of one of the Newag Impuls trains that were investigated. Source Manufacturer’s malicious implants and backdoors in the train firmware The researchers spent several months reverse-engineering, analyzing, and comparing the firmware from the trains that had been bricked and those still running. As a result, they learned how to start up the mysteriously broken-down trains, while at the same time discovering a number of interesting mechanisms embedded in the code by Newag’s software developers. For example, they found that one of the trains’ computer systems contained code that checked GPS coordinates. If the train spent more than 10 days in any one of certain specified areas, it wouldn’t start anymore. What were those areas? The coordinates were associated with several third-party repair shops. Newag’s own workshops were featured in the code too, but the train lock wasn’t triggered in those, which means they were probably used for testing. Areas on the map where the trains would be locked. Source Another mechanism in the code immobilized the train after detecting that the serial number of one of the parts had changed (indicating that this part had been replaced). To mobilize the train again, a predefined combination of keys on the onboard computer in the driver’s cabin had to be pressed. A further interesting booby trap was found inside one of the trains’ systems. It reported a compressor malfunction if the current day of the month was the 21st or later, the month was either 11th or later and the year was 2021 or later. It turned out that November 2021, was the scheduled maintenance date for that particular train. The trigger was miraculously avoided because the train left for maintenance earlier than planned and returned for a service only in January 2022, the 1st month, which is obviously before 11th. Another example: one of the trains was found to contain a device marked “UDP<->CAN Converter”, which was connected to a GSM modem to receive lock status information from the onboard computer. The most frequently found mechanism — and we should note here that each train had a different set of mechanisms — was designed to lock the train if it remained parked for a certain number of days, which signified maintenance for a train in active service. In total, Dragon Sector investigated 30 Impuls trains operated by KD and other rail carriers. A whopping 24 of them were found to contain malicious implants of some sort. One of the researchers next to the train. Source How to protect your systems from malicious implants This story just goes to show that you can encounter malicious implants in the most unexpected of places and in all kinds of IT systems. So, no matter what kind of project you’re working on, if it contains any third-party code — let alone a whole system based on it — it makes sense to at least run an information security audit before going live.
Read next New Kaspersky solution named Product of the Year by AV-Comparatives AV-Comparatives has named our new Kaspersky Standard as Product of the Year. This is the highest honor conferred by this renowned independent lab specializing in testing security solutions.
Tips Subscribe or treat? Manage your subscriptions with ease Many of us have dozens of online subscriptions and recurring payments. How to take control, save money, and stay on top of expenses?
Tips How to set up security and privacy in adidas Running (Runtastic) A detailed guide on setting up privacy in the adidas Running app.
Tips Taking a selfie with your ID card — is it safe? Many popular online services these days require a selfie with your ID card or passport to register. We explore whether taking such photos is safe (spoiler: it’s not) and how to minimize the risks.
Tips Will AI replace SOC analysts? We share our experience on the optimal use of AI models in the SOC of our Kaspersky MDR service.