Newag

History

2023: Installation in trains of software that disables the composition during repairs from competitors

In early December 2023, accusations were made against Polish train manufacturer Newag SA that the company was deliberately loading software into the onboard system of its trains that would disable them in the event of maintenance from competitors. The issue affects Newag Impuls 45WE trains in particular.

According to The Register, the contract for servicing Newag trains was won by Serwis Pojazdów Szynowych (SPS). However, when working with Impuls 45WE electric trains, SPS specialists faced unexpected obstacles: the cars refused to start for no apparent reason. In May 2022, SPS asked for help from "white" hackers from the Dragon Sector group, which includes Jakub Stępniewicz, Sergiusz Bazański and Michał Kowalczyk. Researchers conducted reverse engineering of the train electronics and in August 2022 reported that they identified the cause of the "malfunction." It turned out that a special function is built into the on-board software code, which prevents third-party companies from maintaining or repairing.

Newag SA accuses of deliberately loading software into the onboard system of its trains, which disables them in the event of maintenance from competitors

We found that the programmable logic controller code contains directives that block the train with dummy errors, the researchers say.

It is noted that blocking can be initiated in response to certain events, for example, upon the onset of a particular date or if the composition is in idle mode for a long time. In addition, a GPS link to Newag SA repair sites was found in one of the controllers. The manufacturer itself denies the accusations, stating that the on-board software of the trains does not contain the blocking function, and possible problems may be associated with hacker attacks.^[1]

Notes