They're Now Planting DRM on Trains: Hacker for Hire, Dragon Sector, Takes the Chaos Communications Congress Stage to Explain How They Caught Their Maker Red-handed

General
They're Now Planting DRM on Trains: Hacker for Hire, Dragon Sector, Takes the Chaos Communications Congress Stage to Explain How They Caught Their Maker Red-handed

You may never download a railroad, but you may want to fix it. In Poland, such concerns have led to a major controversy. Railroad manufacturer Newag is under fire for possibly adding DRM-style protection to prevent its cars from being repaired by competitors.

As described in the Polish note, the manufacturer's trains were inexplicably "stopped at several locations in Poland. Not only did they stop working after competitors attempted to repair them, but on November 21, 2023, one of the cars inexplicably bricked up. Details are discussed below.

A company named SPS Mieczkowski received a fine from the railroad operator for failing to repair one of Newag's trains. It then hired a group of hackers called Dragon Sector to build a privateer from pirates. One of the hackers, Michał Kowalczyk, told Onet: "We discovered that the manufacturer was interfering with the software, which led to a forced breakdown.

Newwag, of course, denies the accusations, but the evidence seems damning. As reported by Gizmodo, three hackers from Dragon Sector took to the stage at the Chaos Communication Congress (a hacker convention that discusses cybersecurity and privacy) to share their findings.

In their talk, "Breaking DRMS on a Polish Train," the team stated that they were "100% sure" they were right and that "it's Newag that should be afraid, not us."

"The most common type of train we have investigated is what we call "lack of movement" or "idle timer," explained Jakub Stępniewicz, aka MrTick. If a train is motionless for more than three minutes at speeds above 60 km/h for more than 10 days, he explains, it is permanently locked. However, according to MrTick, there were also false positives, and when the train was stopped for maintenance, "it was enough to activate the lock."

To "fix" this, the manufacturer extended the period to 21 days and added "geofencing" so that the lock would engage if it stayed in certain locations; for the mysterious brick on November 21, "we also did a very nice date check on one train: ...... That train was to be serviced on November 21, 2021". Wait, didn't that train break in 2023? Because (as the hacker revealed) the code actually instructs the train to lock down between November 21-30 and December 21-31.

"This is on one train," says Sergiusz Bazanski (aka q3k). 'That train is now famous because it did indeed break down on December 21 of this year. But don't worry, it will run properly in the New Year."

The entire talk is an eerily familiar and error-ridden journey through comedy. We have all seen horrible levels of performance-impairing DRM applied to games and added in unplanned ways that harm players, such as the infamous resource hog Denuvo. The only problem is that this is a train, not a video game, and the consequences are a bit more severe.

Nor is this the first time something like this has happened outside of video games: in August 2022, hackers jailbroken a tractor with DRM and ran Doom on it. In July of the same year, BMW also introduced microtransactions into its cars. At only $18 a month to warm up the seats, what a bargain!

Categories