Polish Train Maker Is Suing the Hackers Who Exposed Its Anti-Repair Tricks
Remember back in 2023 when hackers exposed (and fixed) malicious anti-repair software in Polish trains? Well, it turns out that the manufacturer, Newag, is at it again.
Just last month, three new trains got locked up in Poland. Newag initially refused to unlock them but relented in the end. But it gets worse. Much worse. Newag has now sued both the Polish repair service SPS that fixed those original trains, and has also gone after the individual members of ethical hacking group Dragon Sector, who studied the trains’ software and discovered Newag’s anti-repair measures. In total, the two lawsuits seek the equivalent of over $3 million USD.
Back in 2022, members of Dragon Sector were called in by a train repair shop Serwis Pojazdów Szynowych (SPS) to work out why its trains were refusing to run. Digging into the code revealed a software trap that would disable trains if they were anywhere near a repair facility that wasn’t run by the manufacturer, Newag. But Newag used a pretty inaccurate way to determine when the trains were in a rival repair shop, which led to some unexpected consequences.
The original version of the locking mechanism seems to have counted how many days a train sat out of use. If it exceeded a time limit (originally ten days), it locked up the train.
