FYI this was already posted to technology, here.
“You wouldn’t download a train!”
The EU should slap the living daylights out of this company
In one of the most popular presentations at 37C3, the three hackers uncovered something monstrous: Newag trains went into hibernation using a sophisticated game of hide-and-seek if they were parked for too long within the geocoordinates of competitors‘ or customers’ workshops or were left in conditions that indicated they underwent an unregistered repair. Only by calling in a Newag technician could such deactivated trains be ‘rescued’. All of this was uncovered without the potentially illegal replacement of train components which would require certifications.
What.
Streisand Effect in 3, 2, 1…
The best part of that presentation was code thst looked like the this
if (day > 15 && month > 11 && year > 2010) { // Yes the date is random i don't remember the real one }
That’s going to spit out a very weird dataset. There may be edge cases where data for the back half of December from 2011 forward would be useful, but I can’t think of one.
Forgot to clarify, that was reverse engeneered code from the train firmware (i don’t remember what it was trying to do)
Statement and more informations from the German CCC alias Chaos Computer Club, a civil rights organization of software tweakers and computer experts:
https://www.ccc.de/en/updates/2024/das-ist-vollig-entgleist
By the way: The train manufacturer company is suing the people who exposed this, and CCC is collecting donations for their legal support - details on the page linked above.
The “defence” of Newag is wild: they claimed that the repair company (SPS) installed these malicious parts of the software. Why would SPS would do that and lose the repair contract back to Newag? That’s just a cartoonishly dumb claim
It is not only trains. In Germany, some hearing aid manufacturers are now adding codes that allow repairs to be done only by a specific shop. Since the device is paid and owned by the wearer, this should be illegal.