I can finally reveal some research I've been involved with over the past year or so.
We (@redford, @mrtick and I) have reverse engineered the PLC code of NEWAG Impuls EMUs. These trains were locking up for arbitrary reasons after being serviced at third-party workshops. The manufacturer argued that this was because of malpractice by these workshops, and that they should be serviced by them instead of third parti
es.
1/4
like this
reshared this
q3k :blobcatcoffee:
in reply to q3k :blobcatcoffee: • • •We found that the PLC code actually contained logic that would lock up the train with bogus error codes after some date, or if the train wasn't running for a given time. One version of the controller actually contained GPS coordinates to contain the behaviour to third party workshops.
It was also possible to unlock the trains by pressing a key combination in the cabin controls. None of this was documented.
2/4
Cy likes this.
reshared this
Shannon Prickett, muıııo, Sally Strange, Christine Lemmer-Webber, Aral Balkan, yuvipanda, pete, Tanguy Fardet, Siderea, Sibylla Bostoniensis, Irenes (many), Waldo Jaquith, Chris Petrilli, Sic Transit Philadelphia, Cy, Matthew Skelton, vruz and Joan // Mask up reshared this.
q3k :blobcatcoffee:
in reply to q3k :blobcatcoffee: • • •The key unlock was deleted in newer PLC software versions, but the lock logic remained.
After a certain update by NEWAG, the cabin controls would also display scary messages about copyright violations if the HMI detected a subset of conditions that should've engaged the lock but the train was still operational.
The trains also had a GSM telemetry unit that was broadcasting lock conditions, and in some cases appeared to be able to lock the train remotely.
3/4
Cy likes this.
reshared this
Sally Strange, Christine Lemmer-Webber, yuvipanda, pete, Irenes (many), Sic Transit Philadelphia, Cy and vruz reshared this.
q3k :blobcatcoffee:
in reply to q3k :blobcatcoffee: • • •and @mrtick held an unrecorded talk a bout this at OhMyHack in Warsaw - I unfortunately couldn't make it because of Munich snow.
For now this is making the rounds in Polish-speaking sources, but we do have a talk scheduled about this at 37C3, in which we plan to do a deep dive into this and actually publish our findings.
@zaufanatrzeciastrona 's article about this: https://zaufanatrzeciastrona.pl/post/o-trzech-takich-co-zhakowali-prawdziwy-pociag-a-nawet-30-pociagow/
O trzech takich, co zhakowali prawdziwy pociąg – a nawet 30 pociągów | Zaufana Trzecia Strona
Adam Haertle (Zaufana Trzecia Strona)Cy likes this.
reshared this
Sally Strange, Christine Lemmer-Webber, pete, stefani, Sic Transit Philadelphia, Cy, vruz and Joan // Mask up reshared this.
Isocat
in reply to q3k :blobcatcoffee: • • •Ugh. This gross, abusive violation of social contract brings Unauthorized Bread to mind:
https://raw.githubusercontent.com/wandyezj/reference/master/unauthorized-bread.pdf
@q3k @redford @mrtick @zaufanatrzeciastrona @kkarhan @raulinbonn @yacc143 @muiiio
Irenes (many)
in reply to q3k :blobcatcoffee: • • •Irenes (many) reshared this.
ifrauding
in reply to q3k :blobcatcoffee: • • •Kevin Karhan :verified:
in reply to q3k :blobcatcoffee: • • •Does any regulator know of this #Sabotage of #CriticalInfrastructure by the #Manufacturer?
I'm shure these trains ain't exclusive to to one country and regulators from @BNetzA and @kartellamt@social.bund.de to @EU_Commission will likely be very interested in such deliberate acts of #AntiCompetiton, #AntiRepair and basically attacks on #PublicTransport #infrastructure done by #NEWAG to fleece customers!
I mean, this is next-level assholeism and makes #JohnDeere and #Apple look like #RightToRepair fans.
muıııo
in reply to q3k :blobcatcoffee: • • •Aral Balkan
in reply to q3k :blobcatcoffee: • • •Matt Palmer
in reply to Aral Balkan • • •Emmanuele Bassi
in reply to q3k :blobcatcoffee: • • •bob.php :veritrek_gold:
in reply to q3k :blobcatcoffee: • • •Joan // Mask up
in reply to q3k :blobcatcoffee: • • •