Hackers Uncover Trains That Are Built To Fail If Independently Repaired
Photo: Monika Skolimowska/picture alliance via Getty Images (Getty Images)
Right to Repair is a major issue in cars, where automakers do everything they can to prevent independent shops from being able to fix new vehicles — forcing owners back to dealerships for service. But cars, it seems, have it easy. Hackers out of Poland found that trains get far, far worse.
The 2024 Jaguar F-PACE SVR Is Unbelievably Loud
A Polish train repair company called SPS had a longstanding issue with the Impuls series of trains from manufacturer Newag. When the company serviced those trains, they all shut down and refused to start — not from mechanical issues, but from electronic problems. SPS consulted the hacker group Dragon Sector, who found that this was intentional functionality from Newag. Dragon Sector spoke with 404 Media, and had this to say:
The hiring of Dragon Sector was a last resort: “In 2021, an independent train workshop won a maintenance tender for some trains made by Newag, but it turned out that they didn’t start after servicing,” Dragon Sector told me. “[SPS] hired us to analyze the issue and we discovered a ‘workshop-detection’ system built into the train software, which bricked the trains after some conditions were met (two of the trains even used a list of precise GPS coordinates of competitors’ workshops). We also discovered an undocumented ‘unlock code’ which you could enter from the train driver’s panel which magically fixed the issue.”
…
“These trains were locking up for arbitrary reasons after being serviced at third-party workshops. The manufacturer argued that this was because of malpractice by these workshops, and that they should be serviced by them instead of third parties,” Bazański, who goes by the handle q3k, posted on Mastodon. “After a certain update by NEWAG, the cabin controls would also display scary messages about copyright violations if the human machine interface detected a subset of conditions that should’ve engaged the lock but the train was still operational. The trains also had a GSM telemetry unit that was broadcasting lock conditions, and in some cases appeared to be able to lock the train remotely.”
The line about copyright stands out, because that’s the only real enforcement available to manufacturers. OEMs own copyrights on their code, and claim that repairers are altering it — tampering with their intellectual property. But when the code tells an entire train to shut down, putting it out of service and interfering with the lives of commuters, can you really blame anyone for tampering?