VIEW SPEECH SUMMARY
1. Background
- The story involves Impulse 45 WE trains, popular in Poland, managed by a local operator Koleje Dolnośląskie.
- Eleven trains bought about seven years ago began needing maintenance after reaching about one million kilometers.
- An independent workshop won the servicing tender over the manufacturer due to lower costs.
- After servicing, trains would not start despite no error messages; brakes released but no movement occurred.
- The workshop struggled for months and contacted manufacturer, which blamed the workshop.
- Finally, the workshop hired Polish hackers, including Michał Kowalczyk and team, to analyze the software problems under a tight 3-month deadline.
2. Technical Investigation
- Focused on power inverters and Programmable Logic Controllers (PLCs) which control motor functions.
- PLCs run specialized firmware on tricore CPUs, programmed via graphical block diagrams, no source code available.
- Firmware extracted via undocumented debugging protocol with default credentials.
- Multiple versions of firmware existed on different trains.
- Firmware analysis uncovered hidden functionality locking trains after servicing by unauthorized workshops.
- Found hard-coded geographical coordinates of competitor workshops embedded in software.
- Locking triggered by:
- Time since last authorized service (initially 10 days, later 21).
- Serial number mismatches of replaced components.
- Odometer verification inconsistencies.
- Geolocation-based locking in competitor workshop areas.
- Special date-based lock/unlock cycles.
- A secret undocumented button combination on driver panel resets locks, indicating intentional sabotage.
3. Outcomes and Reactions
- The hackers managed to unlock the trains hours before contract cancellation deadline.
- Manufacturer denied knowledge of locking code, later sued the hackers for copyright infringement.
- Public exposure followed, including media coverage and parliament meetings.
- Manufacturer accused independent workshops of poor quality and claimed exclusive servicing rights despite contract terms.
- Workshop directors revealed similar cases where they paid manufacturer fees for train unlocking without explanation.
- Legal investigations launched by prosecutor, anti-monopoly office, and anti-corruption bureau.
- Manufacturer filed multiple lawsuits including defamation against MP supporting the case.
- Court proceedings ongoing, slow and complex due to technical nature of evidence.
- Trains continue to be locked following servicing in competitor workshops, problem remains unresolved.
4. Key Actionable Items & Tasks
- Continued legal defense in multiple court cases related to copyright and defamation.
- Ongoing expert analysis of firmware dumps to prove existence and function of locking software.
- Monitoring for new incidents of train lockups after servicing.
- Raising public and official awareness to pressure regulatory intervention.
- Encouraging transparency and accountability from train manufacturer and maintenance policies.
- Investigation and regulation of manufacturer’s servicing monopoly claims.
- Outreach to and protection of independent workshops servicing these trains.
- The story involves Impulse 45 WE trains, popular in Poland, managed by a local operator Koleje Dolnośląskie.
- Eleven trains bought about seven years ago began needing maintenance after reaching about one million kilometers.
- An independent workshop won the servicing tender over the manufacturer due to lower costs.
- After servicing, trains would not start despite no error messages; brakes released but no movement occurred.
- The workshop struggled for months and contacted manufacturer, which blamed the workshop.
- Finally, the workshop hired Polish hackers, including Michał Kowalczyk and team, to analyze the software problems under a tight 3-month deadline.
2. Technical Investigation
- Focused on power inverters and Programmable Logic Controllers (PLCs) which control motor functions.
- PLCs run specialized firmware on tricore CPUs, programmed via graphical block diagrams, no source code available.
- Firmware extracted via undocumented debugging protocol with default credentials.
- Multiple versions of firmware existed on different trains.
- Firmware analysis uncovered hidden functionality locking trains after servicing by unauthorized workshops.
- Found hard-coded geographical coordinates of competitor workshops embedded in software.
- Locking triggered by:
- Time since last authorized service (initially 10 days, later 21).
- Serial number mismatches of replaced components.
- Odometer verification inconsistencies.
- Geolocation-based locking in competitor workshop areas.
- Special date-based lock/unlock cycles.
- A secret undocumented button combination on driver panel resets locks, indicating intentional sabotage.
3. Outcomes and Reactions
- The hackers managed to unlock the trains hours before contract cancellation deadline.
- Manufacturer denied knowledge of locking code, later sued the hackers for copyright infringement.
- Public exposure followed, including media coverage and parliament meetings.
- Manufacturer accused independent workshops of poor quality and claimed exclusive servicing rights despite contract terms.
- Workshop directors revealed similar cases where they paid manufacturer fees for train unlocking without explanation.
- Legal investigations launched by prosecutor, anti-monopoly office, and anti-corruption bureau.
- Manufacturer filed multiple lawsuits including defamation against MP supporting the case.
- Court proceedings ongoing, slow and complex due to technical nature of evidence.
- Trains continue to be locked following servicing in competitor workshops, problem remains unresolved.
4. Key Actionable Items & Tasks
- Continued legal defense in multiple court cases related to copyright and defamation.
- Ongoing expert analysis of firmware dumps to prove existence and function of locking software.
- Monitoring for new incidents of train lockups after servicing.
- Raising public and official awareness to pressure regulatory intervention.
- Encouraging transparency and accountability from train manufacturer and maintenance policies.
- Investigation and regulation of manufacturer’s servicing monopoly claims.
- Outreach to and protection of independent workshops servicing these trains.
Locks in Newag trains - from DRM to lawsuits
14:30 - 15:10, 27th of May (Tuesday) 2025 / DEV TRENDS STAGE
This talk will tell the story of finding malicious software installed in Newag trains, which locked up the trains after detecting third-party servicing. We analyzed the software, found a secret unlocking button combination, unlocked the trains... and then got sued.
The unlocking story is already known quite well, so the talk will also include an update on the current legal proceedings.
The talk won't require deep technical knowledge from the audience.
LEVEL:
Basic
Advanced
Expert
TRACK:
Cybersecurity
Dev Software
TOPICS:
Cybersecurity
SoftwareEngineering
