Jared Naude (140)
We've not been trained for this: life after the Newag DRM disclosure by Michał Kowalczyk (@redford), q3k, Jakub Stepniewicz #38c3
The third challenge is selective disclosure where a user can choose which data is sent however when it comes to digital signatures, the data cannot be edited or changed. The fourth challenge is unlinkability, where transactions cannot be chained together to track / profile people. #38c3
The second issue is unobservability where tracking an profiling can take place. The eIDAS can enable surveillance depending on how it is implemented. If the private keys are local, there is not much metadata that needs to be sent. However, if this is handled by government HSMs, this can enable surveillance through the use of metadata. #38c3
It was found that the trains went through a software update before they went to servicing. Only the manufacturer could do the software update. There were several software locks and logic bombs that would detect if servicing was attempted.
It would detect inactivity if a train was not used for a certain period of time. It also checked serial numbers. It had geolocation locks and date checks. The trains also had secret key combinations to unlock the trains.
Following the public release, the team was invited to parliamentary workshops which was streamed on YouTube. The manufacturer claimed that Deloitte did not work with them and only the train owners. They also claimed that the workshop did not have the right to service the trains. They claimed that the team doing the research was paid millions (not true). They made several other false claims. #38c3
It was found that trains were stopping at a certain train station that was close to a train workshop of the competitors. This was due to the GPS lock that was implemented. When they unplugged the GPS module, the issue went way. #38c3
One of the issues is over asking, relying parties must register public use cases around what data they need. However, the EU wants to leave it to members to decide what will happen. The user must be warned what data will be shared. #38c3
The team reported the findings to the authorities. Deloitte also assisted with the audit. In December 2023, the team went public in Worsaw and then at 37c3 in Hamburg. #38c3
One of the challenges with unlinkability is that public keys and signatures are unique and can be used for tracking which is not allowed by the law. This can be solved with batch issuance through an identity provider. This does not matter if the relying party and government collude together. #38c3
Expanding further, the German implementation will store private secret keys in Cloud HSMs. #38c3
