top | item 38791342

(no title)

avallach | 2 years ago

In various trains, over 20 versions of the compiled firmware with unique variants of the locking algorithm were found. And to make matters worse, the trains were found to have something that appears to be a GSM-to-CAN bridge. It isn't reverse engineered yet but AFAIK shouldn't be there and in the worst case may be a remote control backdoor.

discuss

Maxious|2 years ago

Both these points were clarified in the audience questions - it's a UDP to CAN bridge so the Linux based passenger information system knows the state of the train. And only the Linux system is GSM connected (to get network announcements etc.), none of the firmwares were installed remotely, only when trains were sent back to the manufacturer physically.