You've probably already heard the story: we got contracted to analyze a bunch of trains breaking down after being serviced by independent workshops. We reverse engineered them and found code which simulated failures when they detected servicing attempts. We presented our findings at 37C3… and then shit hit the fan.

We've all been there: the trains you're servicing for a customer suddenly brick themselves and the manufacturer claims that's because you've interfered with a security system.

This talk will tell the story of a series of Polish EMUs (Electric Multiple Unit) that all refused to move a few days after arriving at an “unauthorized” service company. We'll go over how a train control system actually works, how we reverse-engineered one and what sort of magical “security” systems we actually found inside of it.

Reality sometimes is stranger than the wildest CTF task. Reality sometimes is running unlock.py on a dozen trains.