Hacking a train: a 37С3 talk

Ethical hackers told 37C3 how they found a few eye-openers while breaking DRM to fix trains.

37C3: how ethical hackers broke DRM on trains

Polish hackers from Dragon Sector told the 37th Chaos Communication Congress (37C3) late last year how they’d hacked into digital rights management (DRM) for trains, and, more importantly — why.

Why Polish hackers broke into trains

Around five years ago, Poland’s Koleje Dolnośląskie (KD) rail operator bought 11 Impuls 45WE trains from domestic manufacturer Newag. Fast-forward to recent times, and after five years of heavy use it was time for a service and some maintenance: a rather complex and expensive process that a train has to undergo after clocking up a million kilometers.

To select a workshop to service the trains, KD arranged a tender. Newag was among the bidders, but they lost to Serwis Pojazdów Szynowych (SPS), which underbid them by a significant margin.

However, once SPS was done with servicing the first of the trains, they found that it simply wouldn’t start up any more — despite seeming to be fine both mechanically and electrically. All kinds of diagnostic instruments revealed that the train had zero defects in it, and all the mechanics and electricians that worked on it agreed. No matter: the train simply would not start.

Shortly after, several other trains serviced by SPS — plus another taken to a different shop — ended up in a similar condition. This is when SPS, after trying repeatedly to unravel the mystery, decided to bring in a (white-hat) hacker team.

The driver's cabin of the train that was hacked by the Polish researchers

Inside the driver’s cabin of one of the Newag Impuls trains that were investigated. Source

Manufacturer’s malicious implants and backdoors in the train firmware

The researchers spent several months reverse-engineering, analyzing, and comparing the firmware from the trains that had been bricked and those still running. As a result, they learned how to start up the mysteriously broken-down trains, while at the same time discovering a number of interesting mechanisms embedded in the code by Newag’s software developers.

For example, they found that one of the trains’ computer systems contained code that checked GPS coordinates. If the train spent more than 10 days in any one of certain specified areas, it wouldn’t start anymore. What were those areas? The coordinates were associated with several third-party repair shops. Newag’s own workshops were featured in the code too, but the train lock wasn’t triggered in those, which means they were probably used for testing.

Train lock areas defined by coordinates

Areas on the map where the trains would be locked. Source

Another mechanism in the code immobilized the train after detecting that the serial number of one of the parts had changed (indicating that this part had been replaced). To mobilize the train again, a predefined combination of keys on the onboard computer in the driver’s cabin had to be pressed.

A further interesting booby trap was found inside one of the trains’ systems. It reported a compressor malfunction if the current day of the month was the 21st or later, the month was either 11th or later and the year was 2021 or later. It turned out that November 2021, was the scheduled maintenance date for that particular train. The trigger was miraculously avoided because the train left for maintenance earlier than planned and returned for a service only in January 2022, the 1st month, which is obviously before 11th.

Another example: one of the trains was found to contain a device marked “UDP<->CAN Converter”, which was connected to a GSM modem to receive lock status information from the onboard computer.

The most frequently found mechanism — and we should note here that each train had a different set of mechanisms — was designed to lock the train if it remained parked for a certain number of days, which signified maintenance for a train in active service. In total, Dragon Sector investigated 30 Impuls trains operated by KD and other rail carriers. A whopping 24 of them were found to contain malicious implants of some sort.

The Newag Impuls hacked by Dragon Sector

One of the researchers next to the train. Source

How to protect your systems from malicious implants

This story just goes to show that you can encounter malicious implants in the most unexpected of places and in all kinds of IT systems. So, no matter what kind of project you’re working on, if it contains any third-party code — let alone a whole system based on it — it makes sense to at least run an information security audit before going live.