You must log in or # to comment.
In one of the most popular presentations at 37C3, the three hackers uncovered something monstrous: Newag trains went into hibernation using a sophisticated game of hide-and-seek if they were parked for too long within the geocoordinates of competitors‘ or customers’ workshops or were left in conditions that indicated they underwent an unregistered repair. Only by calling in a Newag technician could such deactivated trains be ‘rescued’. All of this was uncovered without the potentially illegal replacement of train components which would require certifications.
What.
Streisand Effect in 3, 2, 1…
https://badcyber.com/dieselgate-but-for-trains-some-heavyweight-hardware-hacking/
to complement the list of ressources, this was a very fun (and layman-level) read
Statement and more informations from the German CCC alias Chaos Computer Club, a civil rights organization of software tweakers and computer experts:
https://www.ccc.de/en/updates/2024/das-ist-vollig-entgleist
By the way: The train manufacturer company is suing the people who exposed this, and CCC is collecting donations for their legal support - details on the page linked above.
The “defence” of Newag is wild: they claimed that the repair company (SPS) installed these malicious parts of the software. Why would SPS would do that and lose the repair contract back to Newag? That’s just a cartoonishly dumb claim
It is not only trains. In Germany, some hearing aid manufacturers are now adding codes that allow repairs to be done only by a specific shop. Since the device is paid and owned by the wearer, this should be illegal.
The EU should slap the living daylights out of this company
The best part of that presentation was code thst looked like the this
if (day > 15 && month > 11 && year > 2010) { // Yes the date is random i don't remember the real one }That’s going to spit out a very weird dataset. There may be edge cases where data for the back half of December from 2011 forward would be useful, but I can’t think of one.
Forgot to clarify, that was reverse engeneered code from the train firmware (i don’t remember what it was trying to do)
“You wouldn’t download a train!”
FYI this was already posted to technology, here.
The only thing I disagree with is this:
This continuing saga shows how important regulation and legislation are to protect consumers, whether it’s individuals like us, or companies that are being bullied into complying with some pretty odious demands.
This makes it look like anti-repair lawsuits were something that can natuarlly occur, and that the solution were some form of government intervention. By and large, that’s not true: It’s the existing copyright laws which are the government intervention — what we are calling for is not a restriction of freedoms for the greater good (regulation), but a return of freedoms that were unjustly taken from us.
(Just so no-one misunderstands me: I’m no opponent of regulations, and am wholly aware that, very often, they actually protect freedom in the greater scheme of things. My point is that terms like “regulation” and even “new legislation” do have a bad ring to many people in the Western hemisphere and beyond, and we needlessly cease discursive territory if we neglect the fact that we are victims of overreaching, oligarch-serving regulation, which we seek to abolish.)
We need more FOSSified hardwares in market
