Jump to content

Newag: Difference between revisions

From Consumer Rights Wiki
← Older edit
VisualWikitext
No edit summary
m Mr Pollo moved page Newag backdoor to Newag without leaving a redirect: merging with article created by User:Michal.296
 
(16 intermediate revisions by 9 users not shown)
Line 1: Line 1:
{{Under Development|date=15 January 2025|stage=Writing|priority=Medium to Low}}
{{Incomplete}}
{{CompanyCargo
|Founded=1876
|Industry=Railway
|Type=Public
|Website=https://www.newag.pl/
|Description=The company produces locomotives and electric multiple unit powered rolling stocks.
|Logo=Newag Group logo.svg}}


'''Newag S.A.''' (pronounced ''"nevag"'') is a Polish company based in Nowy Sącz that specializes in the production, maintenance, and modernization of railway rolling stock.<ref>https://www.newag.pl/en/company/history/</ref>
'''{{wplink|Newag|Newag S.A.}}''' (pronounced ''"nevag"'') is a publicly traded<ref>https://www.gpw.pl/company-factsheet?isin=PLNEWAG00012</ref> Polish company based in {{wplink|Nowy Sącz}} that specializes in the production, maintenance, and modernization of railway rolling stock.<ref>https://www.newag.pl/en/company/history/</ref> Their most notable products include: the families of electric locomotives '''Griffin'''<ref>https://www.newag.pl/en/offer/griffin/</ref><ref>https://twojsacz.pl/kolejne-lokomotywy-griffin-z-nowego-sacza-trafily-do-pkp-intercity/</ref> and '''Dragon''',<ref>https://www.newag.pl/en/offer/dragon/</ref> as well as the '''Impuls''' family of multiple units.<ref>https://www.newag.pl/en/offer/impuls/</ref>


== Backdoor Incident ==
==Anti-competitive practices==
In 2022, when maintenance was done on trains manufactured by '''Newag''', malicious code and backdoors were discovered which were found to make the trains break down after third-party repairs, prevent them from entering a competitors workshop and also stop working after a set amount of time standing still.<ref>https://arstechnica.com/tech-policy/2023/12/manufacturer-deliberately-bricked-trains-repaired-by-competitors-hackers-find/?utm_source=chatgpt.com</ref> The investigation against '''Newag''' is still on-going.
In 2022, a regional Polish train operator commissioned a third-party repair service - '''SPS''' - to complete maintenance on Impuls trains<ref name=":0">https://badcyber.com/dieselgate-but-for-trains-some-heavyweight-hardware-hacking/</ref>. The repair service could not, however, bring the trains to move despite them being in working order. This, alongside accusations of "interfering with the trains' security systems"<ref>https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=227</ref> by Newag caused a tarnishing of SPS's reputation.<ref>https://www.youtube.com/watch?v=IXlYjgVpVIg</ref><ref name=":0" /> In 2023, however, a group of Polish cybersecurity experts from Dragon Sector,<ref name=":0" /><ref>https://dragonsector.pl/</ref> after being hired by SPS, disclosed findings that a number of lock-up mechanisms were placed in the trains' software.<ref>https://media.ccc.de/v/38c3-we-ve-not-been-trained-for-this-life-after-the-newag-drm-disclosure#t=691</ref><ref>https://social.hackerspace.pl/@q3k/111528162462505087</ref><ref>https://arstechnica.com/tech-policy/2023/12/manufacturer-deliberately-bricked-trains-repaired-by-competitors-hackers-find/?utm_source=chatgpt.com</ref> These allegedly include:


== Sources ==
#'''A "lack of movement timer"''', which would disable the train after it has not moved for a set amount of time.<ref>https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=1625</ref>
<references />
#'''Geofencing''' - the train would disable itself once it detects that it is in one of Newag's competitors' workshops.<ref>[https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=1685 https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=1713]</ref><ref name=":1">https://media.ccc.de/v/38c3-we-ve-not-been-trained-for-this-life-after-the-newag-drm-disclosure#t=1293</ref><ref>https://social.hackerspace.pl/@q3k/111528162462505087</ref>
#'''Serializing''' the CAN bus extension device of the train, disabling it if a change in the CAN's serial number is detected.<ref>https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=1814</ref>
#'''A date check,''' which would cause the train to lock up if it was not serviced by Newag before the 21st of November 2022, claiming compressor failure.<ref name=":2">https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=1891</ref>
 
The geofencing mechanism has later been shown to allegedly be the cause of disruptions on a connection serviced by Impuls trains, having them disable themselves when passing near one of the geofenced locations.<ref name=":1" /> The date check, meanwhile, was poorly implemented, and would only cause the train to be locked from 11/21 to 12/1 and from 12/21 to 1/1 each year after 2021.<ref name=":2" /><ref>https://wiadomosci.onet.pl/kraj/skandal-na-kolei-pociag-newagu-stanal-bo-znowu-nadszedl-21-grudnia/41mdspf?utm_source=www.qwant.com_viasg_wiadomosci&utm_medium=referal&utm_campaign=leo_automatic&srcc=undefined&utm_v=2</ref><ref name=":3">https://www.rynek-kolejowy.pl/wiadomosci/impuls-zepsul-sie-z-powodu-21-grudnia-mamy-stanowisko-newagu--116695.html</ref>
 
Newag firmly denies any claims of wrongdoing, releasing multiple statements<ref name=":3" /> claiming the findings of Dragon Sector, as well as reports from media outlets, are "slander" from their competition, "which is conducting an illegal campaign of black PR against us."<ref name=":4">https://www.railjournal.com/fleet/newag-comes-out-fighting-in-claims-over-foul-play/</ref> Newag claims they "have not, do not and will not introduce" any software locks.<ref name=":4" /> The statements also implied an attempt to "undermine Newag's market position".<ref name=":3" />
 
The investigation against Newag is still on-going.
 
==Incidents==
===2023 Anti-competition GPS and time based software lockups [https://zaufanatrzeciastrona.pl/post/o-trzech-takich-co-zhakowali-prawdziwy-pociag-a-nawet-30-pociagow/ <nowiki>[1][pl]</nowiki>] [[Newag backdoor]]===
In December of 2023 white-hat hacker group Dragon Sector revealed their findings regarding Newag Impuls rolling stock malfunctions. They were employed by SPS Mieczkowski (Serwis Pojazdów Szynowych Mieczkowski) to investigate issues they were having regarding repair of Newag Impuls trains. After getting access to debug port, copying contents of management computer and reverse engineering the result code, they found multiple flags that were tripped from zeroed values. After correcting those and reinserting the computer to the train it have returned to normal function. Then they proceed with analysis of the code. In their findings they presented multiple instances of GPS coordinates that were pointing to the competing service companies. After detecting extended stay at these coordinates (10 days) the  train were to lock up and the only repair option was to send the train for service to producer facility. In the code of different computers the group also found parts serialization and arbitrary timed component malfunction. After these findings investigation and court case was initiated against the company and as of August 2025 they have not yet reached the conclusion.   
 
===2024 Lawsuit against SPS and Dragon Sector on grounds of copyright infringement  [https://www.ifixit.com/News/112008/polish-train-maker-is-suing-the-hackers-who-exposed-its-anti-repair-tricks <nowiki>[2][pl]</nowiki>][https://cyberdefence24.pl/polityka-i-prawo/newag-kontra-dragon-sector-i-sps-ruszyl-proces-o-naruszenie-praw-autorskich <nowiki>[3][pl]</nowiki>]===
In August of 2024 Newag Group launched lawsuit against SPS and Dragon Sector group. In this lawsuit Newag claims Dragon Sector exposed train passengers to danger by modifying code of train computer, while simultaneously claiming that Dragon Sector did not modify the code after reverse engineered it, in which case such action breaks the rule of EU Directive 2009/24/EC thus infringing on copyright of the software developed by Newag. As of August 2025 this lawsuit not yet reached the conclusion.
 
==See also==
{{Ph-C-SA}}
 
==References==
{{Reflist}}
[[Category:{{PAGENAME}}]]

Latest revision as of 01:22, 17 August 2025

⚠️ Article status notice: This article has been marked as incomplete

This article needs additional work for its sourcing and verifiability to meet the wiki's Content Guidelines and be in line with our Mission Statement for comprehensive coverage of consumer protection issues.

This notice will be removed once sufficient documentation has been added to establish the systemic nature of these issues. Once you believe the article is ready to have its notice removed, visit the discord and post to the #appeals channel.

Learn more ▼


Newag
Basic information
Founded 1876
Legal Structure Public
Industry Railway
Official website https://www.newag.pl/

Newag S.A. (pronounced "nevag") is a publicly traded[1] Polish company based in Nowy Sącz that specializes in the production, maintenance, and modernization of railway rolling stock.[2] Their most notable products include: the families of electric locomotives Griffin[3][4] and Dragon,[5] as well as the Impuls family of multiple units.[6]

Anti-competitive practices[edit | edit source]

In 2022, a regional Polish train operator commissioned a third-party repair service - SPS - to complete maintenance on Impuls trains[7]. The repair service could not, however, bring the trains to move despite them being in working order. This, alongside accusations of "interfering with the trains' security systems"[8] by Newag caused a tarnishing of SPS's reputation.[9][7] In 2023, however, a group of Polish cybersecurity experts from Dragon Sector,[7][10] after being hired by SPS, disclosed findings that a number of lock-up mechanisms were placed in the trains' software.[11][12][13] These allegedly include:

  1. A "lack of movement timer", which would disable the train after it has not moved for a set amount of time.[14]
  2. Geofencing - the train would disable itself once it detects that it is in one of Newag's competitors' workshops.[15][16][17]
  3. Serializing the CAN bus extension device of the train, disabling it if a change in the CAN's serial number is detected.[18]
  4. A date check, which would cause the train to lock up if it was not serviced by Newag before the 21st of November 2022, claiming compressor failure.[19]

The geofencing mechanism has later been shown to allegedly be the cause of disruptions on a connection serviced by Impuls trains, having them disable themselves when passing near one of the geofenced locations.[16] The date check, meanwhile, was poorly implemented, and would only cause the train to be locked from 11/21 to 12/1 and from 12/21 to 1/1 each year after 2021.[19][20][21]

Newag firmly denies any claims of wrongdoing, releasing multiple statements[21] claiming the findings of Dragon Sector, as well as reports from media outlets, are "slander" from their competition, "which is conducting an illegal campaign of black PR against us."[22] Newag claims they "have not, do not and will not introduce" any software locks.[22] The statements also implied an attempt to "undermine Newag's market position".[21]

The investigation against Newag is still on-going.

Incidents[edit | edit source]

2023 Anti-competition GPS and time based software lockups [1][pl] Newag backdoor[edit | edit source]

In December of 2023 white-hat hacker group Dragon Sector revealed their findings regarding Newag Impuls rolling stock malfunctions. They were employed by SPS Mieczkowski (Serwis Pojazdów Szynowych Mieczkowski) to investigate issues they were having regarding repair of Newag Impuls trains. After getting access to debug port, copying contents of management computer and reverse engineering the result code, they found multiple flags that were tripped from zeroed values. After correcting those and reinserting the computer to the train it have returned to normal function. Then they proceed with analysis of the code. In their findings they presented multiple instances of GPS coordinates that were pointing to the competing service companies. After detecting extended stay at these coordinates (10 days) the train were to lock up and the only repair option was to send the train for service to producer facility. In the code of different computers the group also found parts serialization and arbitrary timed component malfunction. After these findings investigation and court case was initiated against the company and as of August 2025 they have not yet reached the conclusion.

2024 Lawsuit against SPS and Dragon Sector on grounds of copyright infringement [2][pl][3][pl][edit | edit source]

In August of 2024 Newag Group launched lawsuit against SPS and Dragon Sector group. In this lawsuit Newag claims Dragon Sector exposed train passengers to danger by modifying code of train computer, while simultaneously claiming that Dragon Sector did not modify the code after reverse engineered it, in which case such action breaks the rule of EU Directive 2009/24/EC thus infringing on copyright of the software developed by Newag. As of August 2025 this lawsuit not yet reached the conclusion.

See also[edit | edit source]

Link to relevant theme articles or companies with similar incidents.

Add your text below this box. Once this section is complete, delete this box by clicking on it and pressing backspace.


References[edit | edit source]

  1. https://www.gpw.pl/company-factsheet?isin=PLNEWAG00012
  2. https://www.newag.pl/en/company/history/
  3. https://www.newag.pl/en/offer/griffin/
  4. https://twojsacz.pl/kolejne-lokomotywy-griffin-z-nowego-sacza-trafily-do-pkp-intercity/
  5. https://www.newag.pl/en/offer/dragon/
  6. https://www.newag.pl/en/offer/impuls/
  7. 7.0 7.1 7.2 https://badcyber.com/dieselgate-but-for-trains-some-heavyweight-hardware-hacking/
  8. https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=227
  9. https://www.youtube.com/watch?v=IXlYjgVpVIg
  10. https://dragonsector.pl/
  11. https://media.ccc.de/v/38c3-we-ve-not-been-trained-for-this-life-after-the-newag-drm-disclosure#t=691
  12. https://social.hackerspace.pl/@q3k/111528162462505087
  13. https://arstechnica.com/tech-policy/2023/12/manufacturer-deliberately-bricked-trains-repaired-by-competitors-hackers-find/?utm_source=chatgpt.com
  14. https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=1625
  15. https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=1713
  16. 16.0 16.1 https://media.ccc.de/v/38c3-we-ve-not-been-trained-for-this-life-after-the-newag-drm-disclosure#t=1293
  17. https://social.hackerspace.pl/@q3k/111528162462505087
  18. https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=1814
  19. 19.0 19.1 https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=1891
  20. https://wiadomosci.onet.pl/kraj/skandal-na-kolei-pociag-newagu-stanal-bo-znowu-nadszedl-21-grudnia/41mdspf?utm_source=www.qwant.com_viasg_wiadomosci&utm_medium=referal&utm_campaign=leo_automatic&srcc=undefined&utm_v=2
  21. 21.0 21.1 21.2 https://www.rynek-kolejowy.pl/wiadomosci/impuls-zepsul-sie-z-powodu-21-grudnia-mamy-stanowisko-newagu--116695.html
  22. 22.0 22.1 https://www.railjournal.com/fleet/newag-comes-out-fighting-in-claims-over-foul-play/
Retrieved from "https://consumerrights.wiki/index.php?title=Newag&oldid=20277"