John Deere-ism Goes International
John Deere-ism (noun): using hardware and/or software to lock out competing parts or service providers.
A trio of Polish security researchers claim to have found that trains built by Newag SA contain software that sabotages them if the hardware is serviced by competitors. Newag, a Polish train maker, emphatically denied that it installed such software in a statement [PDF, Polish] issued Wednesday, attributing any issues to …
You buy an Apple, you know what you're getting. And Android is an alternative.
(I mean, I agree that you should be able to service it. I think what Apple do is wrong. But it shouldn't be unexpected, and you have alternatives to show you don't like it).
A farmer buys a tractor, or a train operator buys a train, they expect to be able to service it.
@jgarbo: Read the fine print. Don't like it; don't buy it. That statement presumes the potential buyer has effective alternative choices. Right now, in some, possibly many, countries, a potential buyer has no effective alternative. Down in the U.S., home of John Deere, the market is carved up by the farm equipment companies into exclusive territories [which is illegal collusion]. John Deere, Case, International Harvester [the former two now merged into "Case IH"], New Holland, Allis-Chalmers [out-of-business?], Caterpillar, and Massey Ferguson each had/have their agreed-upon turfs.
Just try to get a repair tech from Company A over into territory of Company B: you'll be waiting a very long time, be charged incredibly stiff fees, and while you are waiting, your crops will be rotting in the fields.
This all is a non-issue to agri-business; they pay the jacked-up John Deere [or whomever's] repair and parts fees, and pass that on to their own customers. The small farmer doesn't have the economic power to do that.
You buy an Apple, you know what you're getting.
You're getting a device they make it hard to repair, but not a device that they will arbitrarily brick if you take it to another repair shop.
This would be like Apple using the GPS in the phone to brick a phone if it's spent time in a non Apple repair shop.
It's a fucking hilarious excuse really
It makes me reconsider every time I hear a CEO mention cyber criminals and hacking.
"Hackers cracked our software and updated it so that it only stops working if the customer gets their maintenance tasks performed in our commercial rivals garage".
Hackers can be a strange breed, but hacking a PLC to provide such a specific feature, that also happens to have a direct and major commercial benefit to the OEM?
Oh please!
True. But if you were the errant CEO caught on cctv with his knickers down - what better excuse could you invent? I'm struggling to find a better one ... as I'm sure their PR/creative team did until the dog eat it.
The alternatives would be "honest mistake, accidentally pressed 'release to production' instead of 'delete' on experimental code written purely for research purposes"; or throw a "rogue engineer" under the bus with the "a few bad apples" excuse. Though the latter didn't go so well for VW.
Though the latter didn't go so well for VW.
That was mainly in the states where they are a foreign company. An action in Germany/Europe was likely forced upon them by the publicity - I doubt we'd have heard about it if it was limited to home soil.
Depending on the size of the manufacturer in its home country of Poland there may be a little more forgiveness. An executive will probably have to take a golden parachute though.
...also inserting an undocumented control combo that, when held down, resets the whole system. Gosh, those pesky hoodie-wearing kids, what WILL they get up to next? Perhaps they'll add code to brick the whole train once the next model comes out.
"It’s astounding that they would do it in the first place but did they seriously think nobody was going to take a really good look at the code once trains started failing for no good reason?"
In a word, yes. That's exactly what they thought. And the apparent lack of action by Polish authorities suggests that a few brown bags have changed hands as well.
Don't overlook the fact that the expertise to examine code at this level isn't normally available to the businesses that make and service big heavy hardware like trains, and the normal thinking would be "gawd, it's gone wrong agaaaain! That's the fiftieth time with some random error code. It'll be something deep in the electronics or wiring, we'll never find it. Let's send it back to the makers and pay them to fix it".
I wouldn’t be surprised if the impetus to employ the security researchers was a story from someone who had worked in Newag and had heard rumours of such a kill-switch. Railway vehicle servicing is not a big field, and people move between companies.
I didn’t check, but I had a sinking feeling that a diligent searcher would find numerous links between executives at Newag and key figures in PiS (the political party that until the recent election had a stranglehold on power in Poland). PiS is an amazingly corrupt organisation, even by the standards of populist parties, and Poland is well rid of them.
The timed expiry or "time bomb" is (or at least was) a common trick employed by programmers who suspected they'd be shown the door as soon as a project's finished - the company would have to call the programmer back months/years after the fact to fix things, of course at painful "consulting" rates.
>did they seriously think nobody was going to take a really good look at the code once trains started failing for no good reason?
Yes because under the DMCA what those researchers did was illegal. "Oh", you'd say, "but isn't that an American law?". Yes, well, sort of -- there's a tendency for American laws to be applied globally so if this isn't subject to that or a similar law then its a product management screwup. Maybe they thought that the T&Cs that came with the product would prohibit reverse engineering and that would be enough to at least shift the blame.
Its a bit bold faced to do this sort of thing to a train. Those things are large, expensive and generally the sort of product that would attract attention when it failed for no apparent reason. But it begs the question as to why this sort of thing isn't illegal -- and also just how many other products are deliberately hobbled like this. (Anyone remember Microsoft and CP/M-86?)
EU and US law are distinct and different, it is highly unlikely that a Polish company felt safe just because a law on the other side of the pond forbids decompiling* (not even sure if this is actually the case, I think the DMCA is not quite as broad). If I had to guess it was hubris and arrogance leading to the inclusion of the additional code blocking competitors, similar to VW and Dieselgate (similar, not identical. Newag wanted to hinder others repairing the trains, VW wanted to minimize the cost for emission control).
*) for SPS and the Polish hackers directive 2009/24/EC article 5 seems to be relevant, combined with this EU court judgement saying that yes, decompiling IS legal for finding and fixing bugs. one could discuss "lawful acquirer" but imo the chain is fine: The rail service provider bought the trains (surely with the right to use the on-boad software) and subcontracting the maintenance (where the subcontractor also has to use the software embedded in the train) cannot be forbidden, I think.
I could see why you would think something with "Copyright Act" in the title would only apply to violating copyrights, but the law made it an offense to reverse-engineer anything at all. One programmer was arrested at a US airport for writing a program that could "crack" ROT13 that was used in an application as security. Ah yes, here it is: Adobe and Sklyarov
"there's a tendency for American laws to be applied globally" - While that's true, not even the disgustingly anti-competitive DMCA forbids reverse engineering in cases like this.
"But it begs the question as to why this sort of thing isn't illegal" - It kinda is. The managers who ordered this ugliness might be charged with the felony of disrupting state infrastructure, which carries a light jail time in many parts of Europe, probably Poland too.
"Anyone remember Microsoft and CP/M-86?" - While I do hate all the shenanigans of Micro$oft it's still a private corporation and it didn't disable any government resources with their petty tricks. Which can't be said about this thing.
Malicious Compliance?
Dunno, Europe was the place where the diesel engine emissions hacks came from too. (Or were at least the first ones caught).
Maybe the corp officers just aren't as smart as they think they are and the coders are just letting nature take it's course.
When purchasing items require it to come with* a warranty** for an extended period of time, and be prepared for it to only work that long.
*If you have to purchase it separately it means the manufacturer doesn't fully trust it.
**Be sure to know how to use it too.
Well built products do not need warranties. I have a clothes dryer built long ago, before the internet. Parts to repair it are still available. I have replaced... motor, heating elements (twice), rear drum bearing (thrice), front drum glides, drive belt (twice), lint catching screen. It still does its job. It has no electronics. It does not spy.
I have other products in similar states. If they had warrantees, they long expired. I have replaced newer poorly designed appliances that failed with older used ones which can be repaired.
While that's true, this has blown up so big already (it made international news after all) that in no way would they make it even worse by attempting to punishing the hackers, especially now that the previous quasi-Nazi government of Poland has been replaced by its former opposition.
If the evidence will stand in court then Newag who did this will be in a sea of pain and those who ordered this might face criminal prosecution even. And no letters/press releases about imaginary hackers will help them. If this happened in the US it'd be an average Tuesday instead, corporations are almost untouchable there.