Train locks

2023-12-08

tech

The original was making rounds on the fediverse, so BadCyber translated Dieselgate, but for trains – some heavyweight hardware hacking from the original Polish:

A train manufactured by a Polish company suddenly broke down during maintenance. The experts were helpless – the train was fine, it just wouldn’t run. In a desperate last gasp, the Dragon Sector team was called in to help, and its members found wonders the train engineers had never dreamed of.

I’ll spoil it for you. The Polish manufacturer who lost the tender for the maintenance of the trains decided to lock them if they get maintained elsewhere. This is an investigation on behalf of said maintenance company for a railroad in Poland that fell victim of this.

Some tidbits on the practice:

Newag explains that the trains were blocked by a “safety system”

Newag is the train manufacturer. But this is at the maintenance workshop…

A day of train downtime in the workshop costs over 1000 USD in contractual penalties

… with penalties for the maintenance company.

So the security researchers, while trying to restart trains, started looking at the code of the train controller:

A condition has been written in the computer code to disable the ability to run a train if it spends at least 10 days in one of these workshops. One of the workshops belongs to Newag itself – but a different logical condition was defined for its coordinates, presumably for testing purposes.

But that’s not all.

[…] the blocking of a train when one of its components is replaced (verified by its serial number).

Sounds familiar? Printers, iPhones, etc.

An option to undo the lockout was also discovered – this did not require setting flags at computer memory level, just the right sequence of button clicks in the cab and on the on-board computer screen. When news of the successful launch of the Impulse hit the media, the trains received a software update that removed this ‘fix’ option.

Printers vendor: been there done that.

On another train, a code was found instructing it to ‘break down’ after a million kilometres.

Printer-ink-racket-style.

And there are other things, including buggy code that end up not being triggered at the right time. But none of this is coincidence or bugs. It’s by design. Also because criminals need to stalk their victims:

Analysis showed that the on-board computer was sending lock status information to this device, and that the device itself was connected to a GSM modem.

Reporting back…

And similar locks have been found in locations with different maintenance centers.

Enshitification applied to public transit rolling stock. That’s next level. I’m sure John Deere and HP are having dreams now.

I wonder what action the Polish Government will take and if that can escalate to the EU level. The article state that at the time of writing they haven’t heard anything yet.

The practice is downright criminal.

This effort is scheduled to be presented at a conference in early December 2023.

13 December 2023: update