A trio of Polish security researchers claim to have found that trains built by Newag SA contain software that sabotages them if the hardware is serviced by competitors.
Newag, a Polish train maker, emphatically denied that it installed such software in a statement [PDF, Polish] issued Wednesday, attributing any issues to unknown hackers.
The rolling stock and engineering business insists its software is correct and that it did not design the trains’ programming logic to fail under specific conditions, as has been claimed. “This is a slander from our competition, which is conducting an illegal black PR campaign against us,” it protested.
Jakub Stępniewicz, Sergiusz Bazański and Michał Kowalczyk – members of Dragon Sector, a Polish security hacking team who go by the names q3k, mrtick, and redford respectively – were hired in May 2022 by Serwis Pojazdów Szynowych (SPS), an independent train maintenance firm, to look into problems with Newag Impuls 45WE trains.
SPS bid for and won a contract to maintain the trains, beating Newag, according to Polish industry publication Rynek Kolejowy.
SPS then encountered difficulties servicing the rolling stock following a software lockout. According to Bazański (q3k), the trains locked up for no apparent reason after being serviced in third-party workshops. He wrote in a thread on Mastodon that the manufacturer, Newag, argued that these third-party repair shops were deficient and that the manufacturer should be servicing its own trains.
The security researchers reverse engineered the train’s electronics and, in August 2022 found the train-stopping faults appeared to be not a flaw – but a feature.
“We found that the PLC [programmable logic controller] code actually contained logic that would lock up the train with bogus error codes after some date, or if the train wasn’t running for a given time,” Bazański wrote. “One version of the controller actually contained GPS coordinates to contain the behavior to third-party workshops.”
They also claimed to have found an undocumented key combination in the cabin controls that would unlock the trains. On Tuesday, the researchers discussed their findings at the Oh My H@ck conference in Warsaw, Poland.
The unrecorded talk was documented by infosec writer BadCyber, to whose account the hacking trio referred The Register. They are also preparing a more detailed presentation they intend to deliver at the 37th Chaos Communication Congress in Hamburg, Germany, at the end of the month.
CERT Poland confirmed to The Register that the team had disclosed their findings and that the cyber security agency had alerted relevant authorities. That was more than a year ago, and The Register understands that the ongoing lack of action is partly what motivated the researchers to go public with their findings.
Janusz Cieszyński, Poland’s former minister of digital affairs, has since explained on social media that the president of Newag contacted him to say that the firm had been victimized by cyber criminals. Cieszyński added that the analysis he saw suggested otherwise. ®