A trio of Polish security researchers have uncovered a shocking revelation: trains built by Newag SA, a Polish train maker, contain software that sabotages them if the hardware is serviced by competitors.
The researchers, known by their pseudonyms q3k, mrtick, and redford, are members of Dragon Sector, a Polish security hacking team. They were hired by Serwis Pojazdów Szynowych (SPS), an independent train maintenance firm, to investigate problems with Newag Impuls 45WE trains. SPS had won a contract to maintain the trains, beating Newag. However, they encountered difficulties servicing the rolling stock following a software lockout.
According to one of the researchers, Bazański (q3k), the trains locked up for no apparent reason after being serviced in third-party workshops. He wrote, “We found that the PLC [programmable logic controller] code actually contained logic that would lock up the train with bogus error codes after some date, or if the train wasn’t running for a given time”. They also claimed to have found an undocumented key combination in the cabin controls that would unlock the trains.
Newag, on the other hand, has emphatically denied these allegations. In a statement, the company attributed any issues to unknown hackers. They insisted that their software is correct and that they did not design the trains’ programming logic to fail under specific conditions. “This is a slander from our competition, which is conducting an illegal black PR campaign against us,” the company protested.
The researchers discussed their findings at the Oh My H@ck conference in Warsaw, Poland. They are also preparing a more detailed presentation they intend to deliver at the 37th Chaos Communication Congress in Hamburg, Germany, at the end of the month. CERT Poland confirmed that the team had disclosed their findings and that the cyber security agency had alerted relevant authorities.
This incident has raised several important questions about the ethics of software design and the responsibilities of manufacturers. It also highlights the importance of independent security research in uncovering potential issues and holding companies accountable. As the story unfolds, it will be interesting to see how the tech industry and regulatory bodies respond to these revelations. The implications of this case could have far-reaching effects on how software is designed and regulated in the future.
Relevant articles:
– Polish Hackers Repaired Trains the Manufacturer Artificially Bricked. Now The Train Company Is Threatening Them
– Polish train maker denies claims it geofenced trains
– Polish train maker denies claims its software bricked rolling stock …
– Manufacturer’s secret code caused trains to lock up on purpose.