After breaking trains simply because an independent repair shop had worked on them, NEWAG is now demanding that trains fixed by hackers be removed from service.
In one of the coolest and more outrageous repair stories in quite some time, three white-hat hackers helped a regional rail company in southwest Poland unbrick a train that had been artificially rendered inoperable by the train’s manufacturer after an independent maintenance company worked on it. The train’s manufacturer is now threatening to sue the hackers who were hired by the independent repair company to fix it.
The manufacturer is also now demanding that the repaired trains immediately be removed from service because they have been “hacked,” and thus might now be unsafe, a claim they also cannot substantiate.
Turns out that both the manufacturer, the hackers, and the railway are all Polish. I was hoping that the manufacturer was non-Polish so that Polish courts could show some self-respect in national...
Turns out that both the manufacturer, the hackers, and the railway are all Polish. I was hoping that the manufacturer was non-Polish so that Polish courts could show some self-respect in national sovereignty to say, "We're not making you pay, no matter what treaties the pencilnecks in Parliament agreed to 20 years ago."
I'm not really sure I see an issue with this? Disabling a phone because someone else worked on it is one thing, but a train is much more complex and has a higher risk level. It seems like just a...
I'm not really sure I see an issue with this? Disabling a phone because someone else worked on it is one thing, but a train is much more complex and has a higher risk level. It seems like just a stronger version of indemnity.
Who can make the call on that though? It should probably be the government's transit authority - not a private company. Its also not like they were taken to a random guy on the street with a...
Who can make the call on that though? It should probably be the government's transit authority - not a private company. Its also not like they were taken to a random guy on the street with a wrench - they used a reputable independent repair shop that works with train carriers. The problem in my mind is that a private company sold trains and wants to still decide how those trains are used. Do you really own something if the company that sold it to you can brick that thing and blackmail you into paying exorbitant repair costs?
While phone repair is definitely lower consequence, this has been a recurring issue with iPhones in particular. The real apt comparison though would be John Deere and the way they handle tractors. There are been years of legal battles over farmers being able to repair their own tractors and if John Deere should have the power to remotely shut down tractors that they already sold.
That's not really how this works railways. I can only speak to my experience in North America but the broad strokes of railroading are the same. Also I don't do maintenance. Unless its some...
That's not really how this works railways. I can only speak to my experience in North America but the broad strokes of railroading are the same. Also I don't do maintenance.
Unless its some autonomous thing, the parts of a locomotive that could fail and harm people are generally big steel mechanical things or are only slightly modernized versions of 100 year old things.
When complex technical systems fail they're generally designed to fail in a way that stops the train or shuts down the engine. The consequence for these failures are either reduced performance, a locomotive being pulled out of service, or basically a break down.
The only legitimate argument I could see along those lines is for the safety of the individual that is performing the repair. But that doesn't justify bricking a locomotive.
Not really imo, an unskilled phone tech is one thing and a skilled and certified engineer is another. Its not like they pulled random dudes off the street, these technicians are likely licensed by...
Not really imo, an unskilled phone tech is one thing and a skilled and certified engineer is another. Its not like they pulled random dudes off the street, these technicians are likely licensed by some jurisdiction already.
As far as I understand it, all they did was push the secret key combination to unlock. Didn’t sound like much of a case to be made there. I’m more curious about what the train operator is going to...
As far as I understand it, all they did was push the secret key combination to unlock. Didn’t sound like much of a case to be made there. I’m more curious about what the train operator is going to do — is it possible to sue the manufacturer for installing this booby trap?
My guess is that there's a vaguely worded clause in their purchase contract that notionally absolves the manufacturer from liability. SOP for shitty companies that want to weasel in DRM. The EU...
My guess is that there's a vaguely worded clause in their purchase contract that notionally absolves the manufacturer from liability. SOP for shitty companies that want to weasel in DRM.
The EU seems less amenable to weasel clauses like that than are US regulators and courts though, so it might not hold up. It'll be interesting if the OEM does decide to press the matter.
No, they did much more. The biggest part of their investigation was downloading the drive computer memory byte by byte, and then identifying values in the computers’ memory that are set in one...
No, they did much more. The biggest part of their investigation was downloading the drive computer memory byte by byte, and then identifying values in the computers’ memory that are set in one train and zeroed out in another. They also identified the secret button combination (and the GPS checks) directly from instructions they found in memory.
In this process, they literally burned all of those computers they were working with, used the surviving pieces of the wreckage in order to rebuild one functioning computer, modified its memory directly and got the train to run with it.
Those trains were thoroughly hacked. One of the only things the manufacturer did right is worrying if it is safe to run the trains on those computers - because those computers could potentially now do anything and everything after the hackers where done with them.
I agree, it's certainly a problem that companies will always abuse this claim. There is, however, a point where I personally start caring about the claim. I think it's closely related to whether...
I agree, it's certainly a problem that companies will always abuse this claim.
There is, however, a point where I personally start caring about the claim. I think it's closely related to whether the software/firmware/hardware has passed any kind of certification/auditing/accreditation before being modified by someone not following the exact same process.
I say let people hack their phones at their own risk. Let farmers root/home-brew their tractor's software. The potential for damage is justified by the potential benefits.
But chip-tuning cars? To easy to become bad for the environment.
Hacking the drive control of a train - the thing those trains also use for deceleration/breaking? On the single-byte level, without access to good disassemblers? Inside a (by the admission of those hackers themselves) broken corporate ecosystem, where almost every train has a different set of functions and a different version of software? Personally: No.
And even if your comfortable with that: how do you feel about a private security researcher doing byte-by-byte surgery on Boing's autopilots, cockpit instrumentation or turbine control?
That's pretty much what the train manufacturer is saying here, right? The entire argument kind of become moot for trains and planes. Yes, you bought it, do with it what you want. But you can't...
For certain classes of item, I could get behind an argument for saying that it needs to pass type approval or certification again afterwards, or that the engineers who worked on it need to be appropriately certified.
That's pretty much what the train manufacturer is saying here, right?
The entire argument kind of become moot for trains and planes. Yes, you bought it, do with it what you want. But you can't operate it with pax in the back (or in controlled airspace, for that matter) until you get your changes certified. Which you won't, because it's not only the end product (the software you flash) that is certified in those cases, it's the entire change process and the entire organisation that is certified. And for good reasons.
Personally, I would extend this down to cars. It's not a good idea to allow people to home-brew the radar-controlled adaptive cruise control, even if they bought the car. That thing controls throttle and brakes, hacking it can kill a lot of people.
I'm a big proponent of the right to repair, and manufacturers should supply the software needed to repair their hardware. They probably should supply it including code and documentation. But allowing all modifications to those systems in all cases is not automatically a good idea.
Related topic on the hacker q3k's hackerspace.pl post from last week: https://tildes.net/~transport/1cp7/polish_train_manufacturer_newag_bricks_trains_which_spend_time_in_competitors_depots
Turns out that both the manufacturer, the hackers, and the railway are all Polish. I was hoping that the manufacturer was non-Polish so that Polish courts could show some self-respect in national sovereignty to say, "We're not making you pay, no matter what treaties the pencilnecks in Parliament agreed to 20 years ago."
I'm not really sure I see an issue with this? Disabling a phone because someone else worked on it is one thing, but a train is much more complex and has a higher risk level. It seems like just a stronger version of indemnity.
Who can make the call on that though? It should probably be the government's transit authority - not a private company. Its also not like they were taken to a random guy on the street with a wrench - they used a reputable independent repair shop that works with train carriers. The problem in my mind is that a private company sold trains and wants to still decide how those trains are used. Do you really own something if the company that sold it to you can brick that thing and blackmail you into paying exorbitant repair costs?
While phone repair is definitely lower consequence, this has been a recurring issue with iPhones in particular. The real apt comparison though would be John Deere and the way they handle tractors. There are been years of legal battles over farmers being able to repair their own tractors and if John Deere should have the power to remotely shut down tractors that they already sold.
That's not really how this works railways. I can only speak to my experience in North America but the broad strokes of railroading are the same. Also I don't do maintenance.
Unless its some autonomous thing, the parts of a locomotive that could fail and harm people are generally big steel mechanical things or are only slightly modernized versions of 100 year old things.
When complex technical systems fail they're generally designed to fail in a way that stops the train or shuts down the engine. The consequence for these failures are either reduced performance, a locomotive being pulled out of service, or basically a break down.
The only legitimate argument I could see along those lines is for the safety of the individual that is performing the repair. But that doesn't justify bricking a locomotive.
Not really imo, an unskilled phone tech is one thing and a skilled and certified engineer is another. Its not like they pulled random dudes off the street, these technicians are likely licensed by some jurisdiction already.
As far as I understand it, all they did was push the secret key combination to unlock. Didn’t sound like much of a case to be made there. I’m more curious about what the train operator is going to do — is it possible to sue the manufacturer for installing this booby trap?
My guess is that there's a vaguely worded clause in their purchase contract that notionally absolves the manufacturer from liability. SOP for shitty companies that want to weasel in DRM.
The EU seems less amenable to weasel clauses like that than are US regulators and courts though, so it might not hold up. It'll be interesting if the OEM does decide to press the matter.
No, they did much more. The biggest part of their investigation was downloading the drive computer memory byte by byte, and then identifying values in the computers’ memory that are set in one train and zeroed out in another. They also identified the secret button combination (and the GPS checks) directly from instructions they found in memory.
In this process, they literally burned all of those computers they were working with, used the surviving pieces of the wreckage in order to rebuild one functioning computer, modified its memory directly and got the train to run with it.
Those trains were thoroughly hacked. One of the only things the manufacturer did right is worrying if it is safe to run the trains on those computers - because those computers could potentially now do anything and everything after the hackers where done with them.
If you're interested, this article has much more detail about the hack: https://badcyber.com/dieselgate-but-for-trains-some-heavyweight-hardware-hacking/
I agree, it's certainly a problem that companies will always abuse this claim.
There is, however, a point where I personally start caring about the claim. I think it's closely related to whether the software/firmware/hardware has passed any kind of certification/auditing/accreditation before being modified by someone not following the exact same process.
I say let people hack their phones at their own risk. Let farmers root/home-brew their tractor's software. The potential for damage is justified by the potential benefits.
But chip-tuning cars? To easy to become bad for the environment.
Hacking the drive control of a train - the thing those trains also use for deceleration/breaking? On the single-byte level, without access to good disassemblers? Inside a (by the admission of those hackers themselves) broken corporate ecosystem, where almost every train has a different set of functions and a different version of software? Personally: No.
And even if your comfortable with that: how do you feel about a private security researcher doing byte-by-byte surgery on Boing's autopilots, cockpit instrumentation or turbine control?
That's pretty much what the train manufacturer is saying here, right?
The entire argument kind of become moot for trains and planes. Yes, you bought it, do with it what you want. But you can't operate it with pax in the back (or in controlled airspace, for that matter) until you get your changes certified. Which you won't, because it's not only the end product (the software you flash) that is certified in those cases, it's the entire change process and the entire organisation that is certified. And for good reasons.
Personally, I would extend this down to cars. It's not a good idea to allow people to home-brew the radar-controlled adaptive cruise control, even if they bought the car. That thing controls throttle and brakes, hacking it can kill a lot of people.
I'm a big proponent of the right to repair, and manufacturers should supply the software needed to repair their hardware. They probably should supply it including code and documentation. But allowing all modifications to those systems in all cases is not automatically a good idea.
Related topic on the hacker q3k's hackerspace.pl post from last week:
https://tildes.net/~transport/1cp7/polish_train_manufacturer_newag_bricks_trains_which_spend_time_in_competitors_depots