Jared Naude (140)
A journalist put out an erroneous article stating that the software was put on the trains by the hackers which is not true. Many other news sites repeated the false claims.
2 Lawsuits have been filed against the teams. The first lawsuit complains about software modification and that they broke the copyright, that they were incompetent. The first lawsuit is for 1.3 Million Euros. #38c3
This issue was covered in the media and sparked a debate about if public money is used then the code should be public. The right to repair debate also covered this issue which was also covered by Louis Rossman.
The team also reported the findings to several authorities including the internal security agency, consumer protection office and the anti-corruption bureau. #38c3
The team also found that if you open the cabin doors of the train and push the emergency button in the toilet. The train will unlock itself. #38c3
It was found that trains were stopping at a certain train station that was close to a train workshop of the competitors. This was due to the GPS lock that was implemented. When they unplugged the GPS module, the issue went way. #38c3
In the following meetings, they did not have a presentation slide so they bought paper slides.
DELAY. DEFLECT. DERAIL. 😂
The manufacturer showed several misleading photos during their presentation and even included photos of trains that were in a different workshop which had no relevance to the discussion. Nothing was mentioned about the software locks. #38c3
Following the public release, the team was invited to parliamentary workshops which was streamed on YouTube. The manufacturer claimed that Deloitte did not work with them and only the train owners. They also claimed that the workshop did not have the right to service the trains. They claimed that the team doing the research was paid millions (not true). They made several other false claims. #38c3
The team reported the findings to the authorities. Deloitte also assisted with the audit. In December 2023, the team went public in Worsaw and then at 37c3 in Hamburg. #38c3
It was found that the trains went through a software update before they went to servicing. Only the manufacturer could do the software update. There were several software locks and logic bombs that would detect if servicing was attempted.
It would detect inactivity if a train was not used for a certain period of time. It also checked serial numbers. It had geolocation locks and date checks. The trains also had secret key combinations to unlock the trains.
