Jump to content

Newag: Difference between revisions

From Consumer Rights Wiki
← Older edit
VisualWikitext
Removed dead link.
Tempo123 (talk | contribs)
confirmed
354 edits
References: Archive
 
(6 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{Incomplete}}
{{CompanyCargo
{{CompanyCargo
|Description=Polish manufacturer of railway rolling stock.
|Founded=1876
|Founded=1876
|Industry=Railway
|Industry=Railway
|Logo=Newag Group logo.svg
|ParentCompany=
|Type=Public
|Type=Public
|Website=https://www.newag.pl/
|Website=https://www.newag.pl/
|Description=The company produces locomotives and electric multiple unit powered rolling stocks.
}}
|Logo=Newag Group logo.svg}}


'''{{wplink|Newag|Newag S.A.}}''' (pronounced ''"nevag"'') is a publicly traded<ref>https://www.gpw.pl/company-factsheet?isin=PLNEWAG00012</ref> Polish company based in {{wplink|Nowy Sącz}} that specializes in the production, maintenance, and modernization of railway rolling stock.<ref>https://www.newag.pl/en/company/history/</ref> Their most notable products include: the families of electric locomotives '''Griffin'''<ref>https://www.newag.pl/en/offer/griffin/</ref><ref>https://twojsacz.pl/kolejne-lokomotywy-griffin-z-nowego-sacza-trafily-do-pkp-intercity/</ref> and '''Dragon''',<ref>https://www.newag.pl/en/offer/dragon/</ref> as well as the '''Impuls''' family of multiple units.<ref>https://www.newag.pl/en/offer/impuls/</ref>
'''{{wplink|Newag|Newag S.A.}}''' (pronounced ''"nevag"'') is a publicly traded Polish company based in {{wplink|Nowy Sącz}} that specializes in the production, maintenance, and modernization of railway rolling stock.<ref>{{Cite web |title=Company factsheet |url=https://www.gpw.pl/company-factsheet?isin=PLNEWAG00012 |url-status=live |archive-url=https://web.archive.org/web/20260407160342/https://www.gpw.pl/company-factsheet?isin=PLNEWAG00012 |archive-date=7 Apr 2026 |access-date=1 Mar 2026 |website=GPW}}</ref><ref>{{Cite web |title=Company history |url=https://www.newag.pl/en/company/history/ |archive-url=http://web.archive.org/web/20250120130623/https://www.newag.pl/en/company/history/ |archive-date=20 Jan 2025 |access-date=1 Mar 2026 |website=Newag}}</ref>


==Anti-competitive practices==
Their most notable products include the electric locomotive families '''Griffin''' and '''Dragon''', as well as the '''Impuls''' family of multiple units.<ref>{{Cite web |title=Griffin |url=https://www.newag.pl/en/offer/griffin/ |archive-url=http://web.archive.org/web/20250125122434/https://www.newag.pl/en/offer/griffin/ |archive-date=25 Jan 2025 |access-date=1 Mar 2026 |website=Newag}}</ref><ref>{{Cite web |title=Dragon |url=https://www.newag.pl/en/offer/dragon/ |archive-url=http://web.archive.org/web/20250209153246/https://www.newag.pl/en/offer/dragon/ |archive-date=9 Feb 2025 |access-date=1 Mar 2026 |website=Newag}}</ref><ref>{{Cite web |title=Impuls |url=https://www.newag.pl/en/offer/impuls/ |archive-url=http://web.archive.org/web/20250112104016/https://www.newag.pl/en/offer/impuls/ |archive-date=12 Jan 2025 |access-date=1 Mar 2026 |website=Newag}}</ref>
In 2022, a regional Polish train operator commissioned a third-party repair service - '''SPS''' - to complete maintenance on Impuls trains<ref name=":0">https://badcyber.com/dieselgate-but-for-trains-some-heavyweight-hardware-hacking/</ref>. The repair service could not, however, bring the trains to move despite them being in working order. This, alongside accusations of "interfering with the trains' security systems"<ref>https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=227</ref> by Newag caused a tarnishing of SPS's reputation.<ref>https://www.youtube.com/watch?v=IXlYjgVpVIg</ref><ref name=":0" /> In 2023, however, a group of Polish cybersecurity experts from Dragon Sector,<ref name=":0" /><ref>https://dragonsector.pl/</ref> after being hired by SPS, disclosed findings that a number of lock-up mechanisms were placed in the trains' software.<ref>https://media.ccc.de/v/38c3-we-ve-not-been-trained-for-this-life-after-the-newag-drm-disclosure#t=691</ref><ref>https://social.hackerspace.pl/@q3k/111528162462505087</ref><ref>https://arstechnica.com/tech-policy/2023/12/manufacturer-deliberately-bricked-trains-repaired-by-competitors-hackers-find/?utm_source=chatgpt.com</ref> These allegedly include:


#'''A "lack of movement timer"''', which would disable the train after it has not moved for a set amount of time.<ref>https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=1625</ref>
==Consumer impact summary==
#'''Geofencing''' - the train would disable itself once it detects that it is in one of Newag's competitors' workshops.<ref>[https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=1685 https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=1713]</ref><ref name=":1">https://media.ccc.de/v/38c3-we-ve-not-been-trained-for-this-life-after-the-newag-drm-disclosure#t=1293</ref><ref>https://social.hackerspace.pl/@q3k/111528162462505087</ref>
#'''Serializing''' the CAN bus extension device of the train, disabling it if a change in the CAN's serial number is detected.<ref>https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=1814</ref>
#'''A date check,''' which would cause the train to lock up if it was not serviced by Newag before the 21st of November 2022, claiming compressor failure.<ref name=":2">https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=1891</ref>


The geofencing mechanism has later been shown to allegedly be the cause of disruptions on a connection serviced by Impuls trains, having them disable themselves when passing near one of the geofenced locations.<ref name=":1" /> The date check, meanwhile, was poorly implemented, and would only cause the train to be locked from 11/21 to 12/1 and from 12/21 to 1/1 each year after 2021.<ref name=":2" /><ref>https://wiadomosci.onet.pl/kraj/skandal-na-kolei-pociag-newagu-stanal-bo-znowu-nadszedl-21-grudnia/41mdspf?utm_source=www.qwant.com_viasg_wiadomosci&utm_medium=referal&utm_campaign=leo_automatic&srcc=undefined&utm_v=2</ref><ref name=":3">https://www.rynek-kolejowy.pl/wiadomosci/impuls-zepsul-sie-z-powodu-21-grudnia-mamy-stanowisko-newagu--116695.html</ref>
====Repair restrictions====
In 2022, a regional Polish train operator commissioned third-party repair service SPS to complete maintenance on Impuls trains.<ref name="badcyber">{{Cite web |title=Dieselgate but for trains |url=https://badcyber.com/dieselgate-but-for-trains-some-heavyweight-hardware-hacking/ |archive-url=http://web.archive.org/web/20260222173559/https://badcyber.com/dieselgate-but-for-trains-some-heavyweight-hardware-hacking/ |archive-date=22 Feb 2026 |access-date=1 Mar 2026 |website=Bad Cyber}}</ref> The trains reportedly failed to operate despite being mechanically functional. Allegations emerged that software mechanisms prevented operation following third-party servicing.


Newag firmly denies any claims of wrongdoing, releasing multiple statements<ref name=":3" /> claiming the findings of Dragon Sector, as well as reports from media outlets, are "slander" from their competition, "which is conducting an illegal campaign of black PR against us."<ref name=":4">https://www.railjournal.com/fleet/newag-comes-out-fighting-in-claims-over-foul-play/</ref> Newag claims they "have not, do not and will not introduce" any software locks.<ref name=":4" /> The statements also implied an attempt to "undermine Newag's market position".<ref name=":3" />
====Software lock mechanisms====
In 2023, cybersecurity researchers from Dragon Sector, hired by SPS, disclosed findings that software lock mechanisms had allegedly been embedded within Impuls trains.<ref name="ars">{{Cite web |title=Manufacturer deliberately bricked trains repaired by competitors, hackers find |url=https://arstechnica.com/tech-policy/2023/12/manufacturer-deliberately-bricked-trains-repaired-by-competitors-hackers-find/ |archive-url=http://web.archive.org/web/20251105052028/https://arstechnica.com/tech-policy/2023/12/manufacturer-deliberately-bricked-trains-repaired-by-competitors-hackers-find/ |archive-date=5 Nov 2025 |access-date=1 Mar 2026 |website=Ars Technica}}</ref>


The investigation against Newag is still on-going.
Alleged mechanisms included:
 
*A “lack of movement timer” disabling trains after inactivity.
*Geofencing that disabled trains at competitor workshops.
*Serialization of CAN bus components.
*A date-based lock tied to servicing deadlines.
 
====Geofencing disruptions====
The geofencing mechanism was later alleged to have caused operational disruptions when trains passed near flagged GPS locations.<ref>{{Cite web |title=We’ve Not Been Trained For This |url=https://media.ccc.de/v/38c3-we-ve-not-been-trained-for-this-life-after-the-newag-drm-disclosure |archive-url=http://web.archive.org/web/20260116035645/https://media.ccc.de/v/38c3-we-ve-not-been-trained-for-this-life-after-the-newag-drm-disclosure |archive-date=16 Jan 2026 |access-date=1 Mar 2026 |website=CCC}}</ref>
 
====Company response====
Newag denied the allegations, stating it had not introduced software locks and characterizing the reports as defamatory and damaging to its market position.<ref>{{Cite web |title=Newag comes out fighting in claims over foul play |url=https://www.railjournal.com/fleet/newag-comes-out-fighting-in-claims-over-foul-play/ |archive-url=http://web.archive.org/web/20260216171632/https://www.railjournal.com/fleet/newag-comes-out-fighting-in-claims-over-foul-play/ |archive-date=16 Feb 2026 |access-date=1 Mar 2026 |website=Rail Journal}}</ref>


==Incidents==
==Incidents==
===2023 Anti-competition GPS and time based software lockups [https://zaufanatrzeciastrona.pl/post/o-trzech-takich-co-zhakowali-prawdziwy-pociag-a-nawet-30-pociagow/ <nowiki>[1][pl]</nowiki>]===
In December of 2023 white-hat hacker group Dragon Sector revealed their findings regarding Newag Impuls rolling stock malfunctions. They were employed by SPS Mieczkowski (Serwis Pojazdów Szynowych Mieczkowski) to investigate issues they were having regarding repair of Newag Impuls trains. After getting access to debug port, copying contents of management computer and reverse engineering the result code, they found multiple flags that were tripped from zeroed values. After correcting those and reinserting the computer to the train it have returned to normal function. Then they proceed with analysis of the code. In their findings they presented multiple instances of GPS coordinates that were pointing to the competing service companies. After detecting extended stay at these coordinates (10 days) the  train were to lock up and the only repair option was to send the train for service to producer facility. In the code of different computers the group also found parts serialization and arbitrary timed component malfunction. After these findings investigation and court case was initiated against the company and as of August 2025 they have not yet reached the conclusion.   


===2024 Lawsuit against SPS and Dragon Sector on grounds of copyright infringement [https://www.ifixit.com/News/112008/polish-train-maker-is-suing-the-hackers-who-exposed-its-anti-repair-tricks <nowiki>[2][pl]</nowiki>][https://cyberdefence24.pl/polityka-i-prawo/newag-kontra-dragon-sector-i-sps-ruszyl-proces-o-naruszenie-praw-autorskich <nowiki>[3][pl]</nowiki>]===
This is a list of all consumer protection incidents this company is involved in. Any incidents not mentioned here can be found in the [[:Category:{{FULLPAGENAME}}|{{PAGENAME}} category]].
In August of 2024 Newag Group launched lawsuit against SPS and Dragon Sector group. In this lawsuit Newag claims Dragon Sector exposed train passengers to danger by modifying code of train computer, while simultaneously claiming that Dragon Sector did not modify the code after reverse engineered it, in which case such action breaks the rule of EU Directive 2009/24/EC thus infringing on copyright of the software developed by Newag. As of August 2025 this lawsuit not yet reached the conclusion.  
 
===2023 Anti-competition GPS and time based software lockups===
In December 2023 white-hat hacker group Dragon Sector revealed findings regarding Newag Impuls rolling stock malfunctions. They were employed by SPS Mieczkowski to investigate issues regarding repair of Impuls trains. After reverse engineering analysis, they reported discovering multiple software flags, GPS-based geofencing coordinates corresponding to competing service companies, parts serialization mechanisms, and timed lock conditions. Following disclosure, investigations and legal proceedings were initiated. As of August 2025, the matter has not reached conclusion.<ref name="ars" />
 
===2024 Lawsuit against SPS and Dragon Sector===
In August 2024 Newag Group launched a lawsuit against SPS and Dragon Sector. In this lawsuit Newag claims Dragon Sector exposed train passengers to danger by modifying code of train computers, while also alleging copyright infringement under EU Directive 2009/24/EC related to reverse engineering of software. As of August 2025 this lawsuit has not reached conclusion.
 
===Lawsuit reported by iFixit (July 2025)===
On July 28, 2025, iFixit reported that Newag had initiated legal proceedings against members of Dragon Sector and SPS following their public disclosure of alleged software-based repair restrictions in Impuls trains.<ref>{{Cite web |date=28 Jul 2025 |title=Polish Train Maker Is Suing the Hackers Who Exposed Its Anti-Repair Tricks |url=https://es.ifixit.com/News/112008/polish-train-maker-is-suing-the-hackers-who-exposed-its-anti-repair-tricks |url-status=live |archive-url=https://web.archive.org/web/20260302202139/https://es.ifixit.com/News/112008/polish-train-maker-is-suing-the-hackers-who-exposed-its-anti-repair-tricks |archive-date=2026-03-02 |access-date=1 Mar 2026 |website=iFixit}}</ref>
 
The report states that the lawsuit includes allegations of copyright infringement related to reverse engineering and software modification. The case remains ongoing.


==See also==
==See also==
{{Ph-C-SA}}
 
*[[Leo Express]]


==References==
==References==
{{Reflist}}
<references />
[[Category:{{PAGENAME}}]]
 
[[Category:Newag]]

Latest revision as of 16:06, 7 April 2026

Newag
Basic information
Founded 1876
Legal Structure Public
Industry Railway
Also known as
Official website https://www.newag.pl/

Newag S.A. (pronounced "nevag") is a publicly traded Polish company based in Nowy Sącz that specializes in the production, maintenance, and modernization of railway rolling stock.[1][2]

Their most notable products include the electric locomotive families Griffin and Dragon, as well as the Impuls family of multiple units.[3][4][5]

Consumer impact summary

[edit | edit source]

Repair restrictions

[edit | edit source]

In 2022, a regional Polish train operator commissioned third-party repair service SPS to complete maintenance on Impuls trains.[6] The trains reportedly failed to operate despite being mechanically functional. Allegations emerged that software mechanisms prevented operation following third-party servicing.

Software lock mechanisms

[edit | edit source]

In 2023, cybersecurity researchers from Dragon Sector, hired by SPS, disclosed findings that software lock mechanisms had allegedly been embedded within Impuls trains.[7]

Alleged mechanisms included:

  • A “lack of movement timer” disabling trains after inactivity.
  • Geofencing that disabled trains at competitor workshops.
  • Serialization of CAN bus components.
  • A date-based lock tied to servicing deadlines.

Geofencing disruptions

[edit | edit source]

The geofencing mechanism was later alleged to have caused operational disruptions when trains passed near flagged GPS locations.[8]

Company response

[edit | edit source]

Newag denied the allegations, stating it had not introduced software locks and characterizing the reports as defamatory and damaging to its market position.[9]

Incidents

[edit | edit source]

This is a list of all consumer protection incidents this company is involved in. Any incidents not mentioned here can be found in the Newag category.

2023 Anti-competition GPS and time based software lockups

[edit | edit source]

In December 2023 white-hat hacker group Dragon Sector revealed findings regarding Newag Impuls rolling stock malfunctions. They were employed by SPS Mieczkowski to investigate issues regarding repair of Impuls trains. After reverse engineering analysis, they reported discovering multiple software flags, GPS-based geofencing coordinates corresponding to competing service companies, parts serialization mechanisms, and timed lock conditions. Following disclosure, investigations and legal proceedings were initiated. As of August 2025, the matter has not reached conclusion.[7]

2024 Lawsuit against SPS and Dragon Sector

[edit | edit source]

In August 2024 Newag Group launched a lawsuit against SPS and Dragon Sector. In this lawsuit Newag claims Dragon Sector exposed train passengers to danger by modifying code of train computers, while also alleging copyright infringement under EU Directive 2009/24/EC related to reverse engineering of software. As of August 2025 this lawsuit has not reached conclusion.

Lawsuit reported by iFixit (July 2025)

[edit | edit source]

On July 28, 2025, iFixit reported that Newag had initiated legal proceedings against members of Dragon Sector and SPS following their public disclosure of alleged software-based repair restrictions in Impuls trains.[10]

The report states that the lawsuit includes allegations of copyright infringement related to reverse engineering and software modification. The case remains ongoing.

See also

[edit | edit source]

References

[edit | edit source]
  1. "Company factsheet". GPW. Archived from the original on 7 Apr 2026. Retrieved 1 Mar 2026.
  2. "Company history". Newag. Archived from the original on 20 Jan 2025. Retrieved 1 Mar 2026.
  3. "Griffin". Newag. Archived from the original on 25 Jan 2025. Retrieved 1 Mar 2026.
  4. "Dragon". Newag. Archived from the original on 9 Feb 2025. Retrieved 1 Mar 2026.
  5. "Impuls". Newag. Archived from the original on 12 Jan 2025. Retrieved 1 Mar 2026.
  6. "Dieselgate but for trains". Bad Cyber. Archived from the original on 22 Feb 2026. Retrieved 1 Mar 2026.
  7. 7.0 7.1 "Manufacturer deliberately bricked trains repaired by competitors, hackers find". Ars Technica. Archived from the original on 5 Nov 2025. Retrieved 1 Mar 2026.
  8. "We've Not Been Trained For This". CCC. Archived from the original on 16 Jan 2026. Retrieved 1 Mar 2026.
  9. "Newag comes out fighting in claims over foul play". Rail Journal. Archived from the original on 16 Feb 2026. Retrieved 1 Mar 2026.
  10. "Polish Train Maker Is Suing the Hackers Who Exposed Its Anti-Repair Tricks". iFixit. 28 Jul 2025. Archived from the original on 2026-03-02. Retrieved 1 Mar 2026.
Retrieved from "https://consumerrights.wiki/index.php?title=Newag&oldid=50328"