The “hackers” (specialists who had been hired by the train owner) presented their findings and the manufacturers reaction on the last two chaos communication congresses if you want to hear their side of the story directly:

• Breaking “DRM” in Polish trains – Reverse engineering a train to analyze a suspicious malfunction (2023)
• We’ve not been trained for this: life after the Newag DRM disclosure (2024)

It’s a bit of a read, but Jesus in a jar, what a dumpster fire. Trumpian levels of stupidity & deceit, piled to the ceiling.

Imagine, they sued SPS for $ 3 million - for fixing their fuckups.

Back in 2022, members of Dragon Sector were called in by a train repair shop Serwis Pojazdów Szynowych (SPS) to work out why its trains were refusing to run. Digging into the code revealed a software trap that would disable trains if they were anywhere near a repair facility that wasn’t run by the manufacturer, Newag. But Newag used a pretty inaccurate way to determine when the trains were in a rival repair shop, which led to some unexpected consequences.

The original version of the locking mechanism seems to have counted how many days a train sat out of use. If it exceeded a time limit (originally ten days), it locked up the train.

This lock got triggered in the first few trains serviced by SPS (which had no idea what was really happening), and Newag claimed that the trains had locked up because the repair techs had broken something.

A few weeks later, two more trains were waiting to be sent to SPS (because the SPS storage facilities were full of locked-up trains). After SPS freed up some space, train owner Koleje Dolnośląskie found that they didn’t start anymore either, showing exactly the same symptoms as those that locked up at SPS. At this point, Michał Kowalczyk of Dragon Sector tells us, Newag’s version of events started to look suspicious. They said that the trains at SPS broke down because of faulty servicing. But these newly locked trains never even got near SPS, and they’d locked up in exactly the same way.

These two trains were subsequently repaired by Newag, but without revealing what they had actually fixed. When the Dragon Sector team analyzed them afterwards, they discovered that the locking system had been updated to wait for 21 days instead of ten.

And it gets better. Newag also added a new GPS component. This would check whether trains were near known workshop locations before disabling the trains. And of course, this trick also backfired. Newag ships slightly different software for each manufactured “batch”, so effectively each owner gets slightly different trains. And one batch of the 45WE EMU (electric multiple unit, the kind of train that doesn’t have a separate engine up front to pull the passenger cars), would switch off automatically when passing through the Mińsk Mazowiecki railway station. Trains full of passengers were left stranded.

You can probably guess what happened next. Newag not only denied that it had added such software, but claimed that it had been added by hackers, hinting that those hackers had done it on behalf of a rival company.

Fuck Newag. I hope they lose and have to pay huge fines in return for even writing software like that and imho endangering passengers for money. Imagine the train locking in full speed while approaching a curve. Or at an intersection where a car broke down and the conductors can’t brake. Arseholes.

It is not only trains. In Germany, some hearing aid manufacturers are now adding codes that allow repairs to be done only by a specific shop. Since the device is paid and owned by the wearer, this should be illegal.

They should sue the faucet manufacturers who replaced the cheap rubber washer with a “cartridge”. That shit affects way more people. The capitalism plan of reselling, rather than repairing, is a major reason why we are in the mistrustful state we are in. Go ethical hackers!