Poland: hackers used to unblock trains?
In Poland, train manufacturer Newag is taking legal action against a maintenance company which was able to unlock the on-board computers of its trains thanks to hackers. According to the hackers, these trains were locking up for arbitrary reasons after being serviced at third-party workshops.
A curious story recently unfolded in Poland. To best understand, it is important to see all steps from the outset:
1) New vehicles are purchased by operator X for a regional contract, and the manufacturer is awarded the maintenance contract. All is as usual.
2) Operator X does not get its contract extended and sells the vehicles to successor Y
3) Successor Y takes over the fleet but decides to award the maintenance contract to another company rather than the manufacturer: Serwis Pojazdów Szynowych (SPS). This is where the problems start.
Hackers to solve the problem
According to Rynek Kolejowy, the Newag’s trainsets “suddenly came to a standstill” in 2022 in several parts of the country. To unblock them, the maintenance company called in hackers. And the trains are running again. At the beginning of December 2023, a group of hackers called Dragon Sector told a specialist conference called “Oh My H@ck” that they had carried out “an analysis that lasted two months (on behalf of the maintenance company). After that period, we were able to unblock the trains.”
Dragon Sector explains on its website: “We found that the PLC code contained logic that would lock up the train with bogus error codes after some date, or if the train wasn’t running for a given time. One version of the controller actually contained GPS coordinates to contain the behaviour to third-party workshops. It was also possible to unlock the trains by pressing a key combination in the cabin controls. None of this was documented.”
Manufacturers and maintainers are now accusing each other of ‘provoking’ downtime and manipulating on-board software, according to Rynek Kolejowy It is now very difficult to tell the difference. The manufacturer – which is invoking the security of its products and ownership of the onboard software – now intends to lodge a complaint against the maintenance company and its group of hackers.
Many other small operators in Germany, Sweden and the Netherlands, for example, have not identified such problems. Of course, it all depends on what they have signed. In this respect, it will be interesting to see how things work with other operators. It would seem that the bargaining power of an operator makes all the difference. The SNCF, for example, reportedly makes a lot of demands in its contracts: it wants the source code, the configuration tools and the training documents for using these tools if the manufacturer goes out of business. Not all operator customers can afford this level of demand.
This Polish example is also reminiscent of a dispute that took place in Augsburg, Germany. The operator Go-Ahead had signed a contract with manufacturer Stadler but decided to operate the maintenance with TMH, a Russian company. According to Railway Gazette, Stadler then raised concerns about the potential for industrial espionage. The war in Ukraine came at the start of the contract and, thanks to European sanctions, the TMH site was sold to a new Swiss owner. In Poland, the regulator now has the case in hand.