by 
A unique right-to-repair dispute is causing a disturbance in Polish train travel. It seems, though, that hackers are lending a hand, aiming to fix trains that reportedly halt operation when serviced by anyone other than the train manufacturer, Newag.
A train repair shop, Serwis Pojazdów Szynowych (SPS), seeking to rectify “mysterious failures” that shut down several vehicles owned by the Lower Silesian Railway, solicited help from an ethical hacking group, Dragon Sector. By June 2022 these train faults had already resulted in transport issues and reduced rider capacity, the infrastructure trade publication Rynek Kolejowy stated.
Initial Findings
Dragon Sector dedicated two months to investigating the software and concluded that Newag had consciously created a situation where the trains stopped working after “forced failures” and would not start again. It was seen as a direct effect of intervention by the manufacturer.
Dragon Sector claims that Newag had integrated specific coding into the control systems of Impuls trains, causing them to shut down if a GPS tracker recognized that the train had remained at an independent repair shop for several days.
The Code’s Logic
The team revealed, “Trains would halt if they were parked in specific Polish locations.” Allegedly, the programmed logic recognized these spots as the service halls of SPS and similar businesses. “Even one of the SPS service halls still under construction was included.” It was also found that the code would cause the train to stop functioning if certain components had been replaced without a manufacturer-approved serial number.
Responding to these claims, Newag disagreed with the notion of having created any “workshop-detection” software that caused “intentional failures”. They threatened to sue Dragon Sector for slander and for violating hacking laws.
Newag’s Response
They contend that hacking is a blatant violation of legal provisions and jeopardizes railway traffic safety. Newag insisted that the hacked trains should be suspended from service since they now pose alleged safety risks. However, 404 Media reported that Newag’s safety claims have yet to be substantiated.
Newag’s statement refutes any suggestions that they included any functionality in vehicle control systems that obstruct the proper operation of vehicles, as well as restraining the number of entities able to provide maintenance or repair services. They believe that Dragon Sector’s report is not credible as it was requested by one of Newag’s major rivals.
Dragon Sector’s Stance
Dragon Sector insists that their findings are supported by the evidence. Sergiusz Bazański expressed on Mastodon that “these trains were locking up for unknown reasons after being serviced at third-party workshops.” In some instances, he stated, Newag “seemed to be able to remotely immobilize the train.”
Newag, on the other hand, refutes these allegations, stating that any form of remote interference is “essentially implausible.”
Unlocking The Mystery
Dragon Sector disclosed that they were able to get the trains running again after discovering “an undocumented ‘unlock code’, which could be entered from the train driver’s panel, and it astonishingly rectified the issue.”
Newag reaffirmed that they have never and will never introduce into the software of their trains any solutions that induce intentional failures. They also expressed their ignorance about the individuals responsible for the interference with the train control software. They noted that they notified the Office of Rail Transport regarding this matter.
The Ongoing Debate
While an investigation has been called for by Newag regarding the alleged hacking, Janusz Cieszyński, Poland’s former minister of digital affairs, commented on X that the evidence seemingly goes against Newag. Newag’s president, Zbigniew Konieczek, retorted that “no tangible evidence has been put forth to indicate that our company intentionally installed the faulty software.”
404 Media suggests that Newag seems to be adhering to a recognizable trend in the right-to-repair sector, where manufacturers menace their competitor repair shops with pending lawsuits and baseless claims about the safety risks of third-party repairs. Dragon Sector seems to be undeterred, documenting their successes on YouTube and discussing their findings in conferences, even planning “a more detailed presentation” for an event in Hamburg, Germany. Given the evidence amassed during their analysis, the Dragon Sector team is skeptical whether Newag will indeed proceed with the lawsuit.
“Their defense is really weak, and they would stand no chance of defending it,” said Michał Kowalczyk from Dragon Sector. “They, in all likelihood, just attempt to appear intimidating through media claim”.
