Hackers discover code from train company that intentionally causes problems with third-party fixes – Planet

In June 2022, ethical hacking group Dragon Sectorm was recruited by the railway vehicle repair shop Serwis Pojazdów Szynowych (SPS) to examine train software that was malfunctioning under strange circumstances. According to trade publication Rynek Kolejowy, the shortage of running trains has become a serious problem for both passengers and operators.

After two months of analyzing the software, the Dragon Sector team discovered that Newag had inserted code that intentionally caused malfunctions if repairs were performed at independent shops rather than Newag itself.

Specifically, Dragon Sector alleges that Newag added code that disabled trains if a GPS tracker indicated that a vehicle had remained at non-Newag facilities for several days. The code also appears to have stopped trains if parts were changed without Newag’s express approval.

Newag strongly denies using so-called “workshop detection tricks”, and threatens to take legal action against Dragon Sector for alleged defamation and illegal hacking. Newage also insists that the repaired trains now pose safety risks and must be withdrawn. Dragon Sector stands by its findings, which were obtained on behalf of Newag’s competitor SPS.

Dragon Sector finally activated the trains after finding an unlock code that wasn’t in any documents. Newag claims that it has never introduced intentional fail-safe systems into its software. Both Dragon Sector and SPS deny allegations of tampering with control systems.

While Newaj urges authorities to investigate, Poland’s former Minister of Digital Policy published a post suggesting that the facts appear to contradict Newaj’s account. Newag’s president claims the company was merely a victim of cybercriminals.

The Dragon Sectors pirates believe that Newag just wants to appear formidable, even though he occupies an untenable position. So far, the ethical hacking team doesn’t seem to be deterred, presenting their work at conferences and on YouTube.

The case is still ongoing. But early evidence suggests the Polish train maker was aiming to limit third-party repair rights, a well-known intimidation tactic used by manufacturers across the industry.