An unusual right-to-repair drama is disrupting railroad travel in Poland despite efforts by hackers who helped repair trains that allegedly were designed to stop functioning when serviced by anyone but Newag, the train manufacturer.
Members of an ethical hacking group called Dragon Sector, including Sergiusz Bazański and Michał Kowalczyk, were called upon by a train repair shop, Serwis Pojazdów Szynowych (SPS), to scrutinize train software in June 2022. SPS was desperate to figure out what was causing “mysterious failures” that shut down several vehicles owned by Polish train operator the Lower Silesian Railway, Polish infrastructure trade publication Rynek Kolejowy reported. At that point, the shortage of trains had already become “a serious problem” for carriers and passengers, as fewer available cars meant shorter trains and reduced rider capacity, Rynek Kolejowy reported.
Dragon Sector spent two months analyzing the software, finding that “the manufacturer’s interference” led to “forced failures and to the fact that the trains did not start,” and concluding that bricking the trains “was a deliberate action on Newag’s part.”
According to Dragon Sector, Newag entered code into the control systems of Impuls trains to stop them from operating if a GPS tracker indicated that the train was parked for several days at an independent repair shop.
The trains “were given the logic that they would not proceed if they were parked in a specific location in Poland, and these locations were the service hall of SPS and the halls of other similar companies in the industry,” Dragon Sector’s team alleged. “Even one of the SPS halls, which was still under construction, was included.”
The code also allegedly bricked the train if “certain components had been replaced without a manufacturer-approved serial number,” 404 Media reported.
In a statement, Newag denied developing any so-called “workshop-detection” software that caused “intentional failures” and threatened to sue Dragon Sector for slander and for violating hacking laws.
“Hacking IT systems is a violation of many legal provisions and a threat to railway traffic safety,” Newag said, insisting that the hacked trains be removed from use because they now pose alleged safety risks. Newag’s safety claims are still unsubstantiated, 404 Media reported.
“We categorically deny and negate Newag’s uploading of any functionality in vehicle control systems that limits or prevents the proper operation of vehicles, as well as limiting the group of entities that can supply maintenance or repair services,” Newag’s statement said. According to Newag, Dragon Sector’s report shouldn’t be trusted because it was commissioned by one of Newag’s biggest competitors.
Dragon Sector maintains that the evidence supports its conclusions. Bazański posted on Mastodon that “these trains were locking up for arbitrary reasons after being serviced at third-party workshops. The manufacturer argued that this was because of malpractice by these workshops, and that they should be serviced by them instead of third parties.” In some cases, Bazański wrote, Newag “appeared to be able to lock the train remotely.”
Newag has said that “any remote intervention” is “virtually impossible.”
Lawsuit threats fails to silence hackers
Dragon Sector got the trains running after discovering “an undocumented ‘unlock code’ which you could enter from the train driver’s panel which magically fixed the issue,” Dragon Sector’s team told 404 Media.
Newag has maintained that it has never and will never “unveil into the software of our trains any solutions that direct to intentional failures.”
“We do not know who interfered with the train control software, using what methods and what qualifications,” Newag said. “We also notified the Office of Rail Transport about this so that it could infer to withdraw from service the sets subjected to the activities of unknown hackers.”
Dragon Sector and SPS have denied interfering with the train’s control systems.
While Newag has contacted authorities to probe the hacking, Janusz Cieszyński, Poland’s former minister of digital affairs, posted on X that the evidence appears to weigh against Newag.
“The president of Newag contacted me,” Cieszyński wrote. “He claims that Newag fell victim to cybercriminals and it was not an intentional action by the company. The analysis I saw indicated something else, but for the sake of clarity, I will write about everything.
Newag president Zbigniew Konieczek said that “no evidence was provided that our company intentionally installed the faulty software. In our opinion, the truth may be completely different—that, for example, the competition interfered with the software.”
Konieczek also accused Cieszyński of disseminating “false and highly harmful information about Newag.”
404 Media noted that Newag appeared to be following a common playbook in the right-to-repair world where manufacturers intimidate competitor repair shops with threatened lawsuits and unsubstantiated claims about safety risks of third-party repairs. So far, Dragon Sector does not appear intimidated, posting its success on YouTube and discussing its findings at Poland’s Oh My H@ck conference in Warsaw. The group is also planning “a more detailed presentation” for the 37th Chaos Communication Congress in Hamburg, Germany, at the end of December, The Register reported.
Because of the evidence gathered during their analysis, the Dragon Sector team has doubts about whether Newag will actually follow through with the lawsuit.
“Their defense line is really poor, and they would have no chance defending it,” Kowalczk told 404 Media. “They probably just want to sound scary in the media.”