{"id":50321,"date":"2024-01-24T12:50:49","date_gmt":"2024-01-24T17:50:49","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=50321"},"modified":"2024-01-24T12:50:49","modified_gmt":"2024-01-24T17:50:49","slug":"train-hack-37c3-talk","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/train-hack-37c3-talk\/50321\/","title":{"rendered":"Hacking a train: a 37\u04213 talk"},"content":{"rendered":"

Polish hackers from Dragon Sector told<\/a> the 37th<\/sup> Chaos Communication Congress (37C3) late last year how they\u2019d hacked into digital rights management (DRM) for trains, and, more importantly \u2014 why.<\/p>\n

Why Polish hackers broke into trains<\/h2>\n

Around five years ago, Poland\u2019s Koleje Dolno\u015bl\u0105skie (KD) rail operator bought 11 Impuls 45WE trains from domestic manufacturer Newag. Fast-forward to recent times, and after five years of heavy use it was time for a service and some maintenance: a rather complex and expensive process that a train has to undergo after clocking up a million kilometers.<\/p>\n

To select a workshop to service the trains, KD arranged a tender. Newag was among the bidders, but they lost to Serwis Pojazd\u00f3w Szynowych (SPS), which underbid them by a significant margin.<\/p>\n

However, once SPS was done with servicing the first of the trains, they found that\u00a0it simply wouldn\u2019t start up any more \u2014 despite seeming to be fine both mechanically and electrically. All kinds of diagnostic instruments revealed that the train had zero defects in it, and all the mechanics and electricians that worked on it agreed. No matter: the train simply would not start.<\/p>\n

Shortly after, several other trains serviced by SPS \u2014 plus another taken to a different shop \u2014 ended up in a similar condition. This is when SPS, after trying repeatedly to unravel the mystery, decided to bring in a (white-hat) hacker team.<\/p>\n

\"The<\/a>

Inside the driver\u2019s cabin of one of the Newag Impuls trains that were investigated. Source<\/a><\/p><\/div>\n

Manufacturer\u2019s malicious implants and backdoors in the train firmware<\/h2>\n

The researchers spent several months reverse-engineering, analyzing, and comparing the firmware from the trains that had been bricked and those still running. As a result, they learned how to start up the mysteriously broken-down trains, while at the same time discovering a number of interesting mechanisms embedded in the code by Newag\u2019s software developers.<\/p>\n

For example, they found that one of the trains\u2019 computer systems contained code that checked GPS coordinates. If the train spent more than 10 days in any one of certain specified areas, it wouldn\u2019t start anymore. What were those areas? The coordinates were associated with several third-party repair shops. Newag\u2019s own workshops were featured in the code too, but the train lock wasn\u2019t triggered in those, which means they were probably used for testing.<\/p>\n

\"Train<\/a>

Areas on the map where the trains would be locked. Source<\/a><\/p><\/div>\n

Another mechanism in the code immobilized the train after detecting that the serial number of one of the parts had changed (indicating that this part had been replaced). To mobilize the train again, a predefined combination of keys on the onboard computer in the driver\u2019s cabin had to be pressed.<\/p>\n

A further interesting booby trap was found inside one of the trains\u2019 systems. It reported a compressor malfunction if the current day of the month was the 21st<\/sup> or later, the month was either 11th<\/sup> or later and the year was 2021 or later. It turned out that November 2021, was the scheduled maintenance date for that particular train. The trigger was miraculously avoided because the train left for maintenance earlier than planned and returned for a service only in January 2022, the 1st<\/sup> month, which is obviously before 11th<\/sup>.<\/p>\n

Another example: one of the trains was found to contain a device marked \u201cUDP<->CAN Converter\u201d, which was connected to a GSM modem to receive lock status information from the onboard computer.<\/p>\n

The most frequently found mechanism \u2014 and we should note here that each train had a different set of mechanisms \u2014 was designed to lock the train if it remained parked for a certain number of days, which signified maintenance for a train in active service. In total, Dragon Sector investigated 30 Impuls trains operated by KD and other rail carriers. A whopping 24 of them were found to contain malicious implants of some sort.<\/p>\n

\"The<\/a>

One of the researchers next to the train. Source<\/a><\/p><\/div>\n

How to protect your systems from malicious implants<\/h2>\n

This story just goes to show that you can encounter malicious implants in the most unexpected of places and in all kinds of IT systems. So, no matter what kind of project you\u2019re working on, if it contains any third-party code \u2014 let alone a whole system based on it \u2014 it makes sense to at least run an information security audit<\/a> before going live.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

Ethical hackers told 37C3 how they found a few eye-openers while breaking DRM to fix trains.<\/p>\n","protected":false},"author":2726,"featured_media":50322,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3051],"tags":[4536,1449,2141,2800,2802,4537,1146,97,422,268],"class_list":{"0":"post-50321","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-4536","10":"tag-backdoors","11":"tag-business","12":"tag-ccc","13":"tag-chaos-communication-congress","14":"tag-implants","15":"tag-risks","16":"tag-security-2","17":"tag-threats","18":"tag-vulnerabilities"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/train-hack-37c3-talk\/50321\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/train-hack-37c3-talk\/26997\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/train-hack-37c3-talk\/22310\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/train-hack-37c3-talk\/29665\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/train-hack-37c3-talk\/27166\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/train-hack-37c3-talk\/36860\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/train-hack-37c3-talk\/27397\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/train-hack-37c3-talk\/33182\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/train-hack-37c3-talk\/32807\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/ccc\/","name":"CCC"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/50321","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2726"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=50321"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/50321\/revisions"}],"predecessor-version":[{"id":50327,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/50321\/revisions\/50327"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/50322"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=50321"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=50321"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=50321"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}