@artemist@wolf480pl What I would like (and I don't mean to sound like some kind of RETVRN TO DEVUAN freak) is the oldschool way of using kernel enumeration as a base (eth0, eth1, usb0, etc), and then pinning it statefully to MAC in userspace.
I know it's not great for us NixOS folks, but there we could just declaratively pin interface names to MAC via nixos-generate-config. Effectively the same behaviour.
Systemd predictable network interface names are awesome.
Not only I get easy to remember names like enp2s0f0u7u3c2 but I _also_ get to experience a machine not coming back up after reboot because a new (non-NIC!) PCIe card caused existing names to shuffle around.
The code has a dictionary of strings that are encoded as a prefix trie, which helps to keep things stealthy. This is eg. then used to look up symbols, eg. bd_elf_lookup_hash(..., 0x2b0, ...) means bd_elf_lookup_hash(..., "__libc_stack_end", ...). This is also why it's slow :).
This should bring us one step closer to knowing what the binary payload does.
@marcan Ah yeah, the fact that this wasn't better tested to not trigger alarms (eg. in oss-fuzz / valgrind) was a bit amateurish.
I feel like the .so was engineered by a totally different group than the maintainer, or whoever is behind the maintainer persona. That thing is just bonkers in comparison. Even having all the code in front of me, it's very hard to tell what it does, whether it's further packed, or that it even is malware.
In 2024, $.32 gets you a Cortex M0, 4kB RAM, 16kB flash and a built-in 24MHz oscillator. All in a package that's terrifyingly close to being accidentally swallowable.
Shout out to the Security Research Legal Defense Fund for helping us go public about our train research! We're honored to have been their first grantees.
Without their financial assistance we would've had to crowdfund our legal bills, or even worse, stay quiet about the locks we've found in Impuls trains.
If you're facing legal threats (or even anticipate the possibility of such threats) as the result of security research we definitely recommend reaching out to them.
It's amazing how many bonkers legal takes we've heard about this over the past few weeks. :)
We've been accused of everything from fraud, causing a danger to national security, insider trading, up to of course all possible violations of IP law. We've seen copyright law being applied to trains and intellectual property rights being interpreted as 'the author can do anything they want'. We've seen contract law translated to 'if it wasn't prohibited then it's okay'.
@redford and @mrtick held an unrecorded talk a bout this at OhMyHack in Warsaw - I unfortunately couldn't make it because of Munich snow.
For now this is making the rounds in Polish-speaking sources, but we do have a talk scheduled about this at 37C3, in which we plan to do a deep dive into this and actually publish our findings.
We found that the PLC code actually contained logic that would lock up the train with bogus error codes after some date, or if the train wasn't running for a given time. One version of the controller actually contained GPS coordinates to contain the behaviour to third party workshops.
It was also possible to unlock the trains by pressing a key combination in the cabin controls. None of this was documented.
The key unlock was deleted in newer PLC software versions, but the lock logic remained.
After a certain update by NEWAG, the cabin controls would also display scary messages about copyright violations if the HMI detected a subset of conditions that should've engaged the lock but the train was still operational.
The trains also had a GSM telemetry unit that was broadcasting lock conditions, and in some cases appeared to be able to lock the train remotely.
I can finally reveal some research I've been involved with over the past year or so.
We (@redford, @mrtick and I) have reverse engineered the PLC code of NEWAG Impuls EMUs. These trains were locking up for arbitrary reasons after being serviced at third-party workshops. The manufacturer argued that this was because of malpractice by these workshops, and that they should be serviced by them instead of third parties.
Documenting the hyperfocus episodes of a soul stuck between hardware and software. THIS CONTENT IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.#nobot(Old account: https://0x3c.pl/@q3k)