Newag: Difference between revisions
mNo edit summary |
m Mr Pollo moved page Newag backdoor to Newag without leaving a redirect: merging with article created by User:Michal.296 |
||
| (19 intermediate revisions by 10 users not shown) | |||
| Line 1: | Line 1: | ||
{{ | {{Incomplete}} | ||
{{CompanyCargo | |||
|Founded=1876 | |||
|Industry=Railway | |||
|Type=Public | |||
|Website=https://www.newag.pl/ | |||
|Description=The company produces locomotives and electric multiple unit powered rolling stocks. | |||
|Logo=Newag Group logo.svg}} | |||
'''Newag S.A.''' (pronounced ''"nevag"'') is a Polish company | '''{{wplink|Newag|Newag S.A.}}''' (pronounced ''"nevag"'') is a publicly traded<ref>https://www.gpw.pl/company-factsheet?isin=PLNEWAG00012</ref> Polish company based in {{wplink|Nowy Sącz}} that specializes in the production, maintenance, and modernization of railway rolling stock.<ref>https://www.newag.pl/en/company/history/</ref> Their most notable products include: the families of electric locomotives '''Griffin'''<ref>https://www.newag.pl/en/offer/griffin/</ref><ref>https://twojsacz.pl/kolejne-lokomotywy-griffin-z-nowego-sacza-trafily-do-pkp-intercity/</ref> and '''Dragon''',<ref>https://www.newag.pl/en/offer/dragon/</ref> as well as the '''Impuls''' family of multiple units.<ref>https://www.newag.pl/en/offer/impuls/</ref> | ||
== | ==Anti-competitive practices== | ||
In 2022 maintenance | In 2022, a regional Polish train operator commissioned a third-party repair service - '''SPS''' - to complete maintenance on Impuls trains<ref name=":0">https://badcyber.com/dieselgate-but-for-trains-some-heavyweight-hardware-hacking/</ref>. The repair service could not, however, bring the trains to move despite them being in working order. This, alongside accusations of "interfering with the trains' security systems"<ref>https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=227</ref> by Newag caused a tarnishing of SPS's reputation.<ref>https://www.youtube.com/watch?v=IXlYjgVpVIg</ref><ref name=":0" /> In 2023, however, a group of Polish cybersecurity experts from Dragon Sector,<ref name=":0" /><ref>https://dragonsector.pl/</ref> after being hired by SPS, disclosed findings that a number of lock-up mechanisms were placed in the trains' software.<ref>https://media.ccc.de/v/38c3-we-ve-not-been-trained-for-this-life-after-the-newag-drm-disclosure#t=691</ref><ref>https://social.hackerspace.pl/@q3k/111528162462505087</ref><ref>https://arstechnica.com/tech-policy/2023/12/manufacturer-deliberately-bricked-trains-repaired-by-competitors-hackers-find/?utm_source=chatgpt.com</ref> These allegedly include: | ||
< | |||
#'''A "lack of movement timer"''', which would disable the train after it has not moved for a set amount of time.<ref>https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=1625</ref> | |||
#'''Geofencing''' - the train would disable itself once it detects that it is in one of Newag's competitors' workshops.<ref>[https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=1685 https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=1713]</ref><ref name=":1">https://media.ccc.de/v/38c3-we-ve-not-been-trained-for-this-life-after-the-newag-drm-disclosure#t=1293</ref><ref>https://social.hackerspace.pl/@q3k/111528162462505087</ref> | |||
#'''Serializing''' the CAN bus extension device of the train, disabling it if a change in the CAN's serial number is detected.<ref>https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=1814</ref> | |||
#'''A date check,''' which would cause the train to lock up if it was not serviced by Newag before the 21st of November 2022, claiming compressor failure.<ref name=":2">https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=1891</ref> | |||
The geofencing mechanism has later been shown to allegedly be the cause of disruptions on a connection serviced by Impuls trains, having them disable themselves when passing near one of the geofenced locations.<ref name=":1" /> The date check, meanwhile, was poorly implemented, and would only cause the train to be locked from 11/21 to 12/1 and from 12/21 to 1/1 each year after 2021.<ref name=":2" /><ref>https://wiadomosci.onet.pl/kraj/skandal-na-kolei-pociag-newagu-stanal-bo-znowu-nadszedl-21-grudnia/41mdspf?utm_source=www.qwant.com_viasg_wiadomosci&utm_medium=referal&utm_campaign=leo_automatic&srcc=undefined&utm_v=2</ref><ref name=":3">https://www.rynek-kolejowy.pl/wiadomosci/impuls-zepsul-sie-z-powodu-21-grudnia-mamy-stanowisko-newagu--116695.html</ref> | |||
Newag firmly denies any claims of wrongdoing, releasing multiple statements<ref name=":3" /> claiming the findings of Dragon Sector, as well as reports from media outlets, are "slander" from their competition, "which is conducting an illegal campaign of black PR against us."<ref name=":4">https://www.railjournal.com/fleet/newag-comes-out-fighting-in-claims-over-foul-play/</ref> Newag claims they "have not, do not and will not introduce" any software locks.<ref name=":4" /> The statements also implied an attempt to "undermine Newag's market position".<ref name=":3" /> | |||
The investigation against Newag is still on-going. | |||
==Incidents== | |||
===2023 Anti-competition GPS and time based software lockups [https://zaufanatrzeciastrona.pl/post/o-trzech-takich-co-zhakowali-prawdziwy-pociag-a-nawet-30-pociagow/ <nowiki>[1][pl]</nowiki>] [[Newag backdoor]]=== | |||
In December of 2023 white-hat hacker group Dragon Sector revealed their findings regarding Newag Impuls rolling stock malfunctions. They were employed by SPS Mieczkowski (Serwis Pojazdów Szynowych Mieczkowski) to investigate issues they were having regarding repair of Newag Impuls trains. After getting access to debug port, copying contents of management computer and reverse engineering the result code, they found multiple flags that were tripped from zeroed values. After correcting those and reinserting the computer to the train it have returned to normal function. Then they proceed with analysis of the code. In their findings they presented multiple instances of GPS coordinates that were pointing to the competing service companies. After detecting extended stay at these coordinates (10 days) the train were to lock up and the only repair option was to send the train for service to producer facility. In the code of different computers the group also found parts serialization and arbitrary timed component malfunction. After these findings investigation and court case was initiated against the company and as of August 2025 they have not yet reached the conclusion. | |||
===2024 Lawsuit against SPS and Dragon Sector on grounds of copyright infringement [https://www.ifixit.com/News/112008/polish-train-maker-is-suing-the-hackers-who-exposed-its-anti-repair-tricks <nowiki>[2][pl]</nowiki>][https://cyberdefence24.pl/polityka-i-prawo/newag-kontra-dragon-sector-i-sps-ruszyl-proces-o-naruszenie-praw-autorskich <nowiki>[3][pl]</nowiki>]=== | |||
In August of 2024 Newag Group launched lawsuit against SPS and Dragon Sector group. In this lawsuit Newag claims Dragon Sector exposed train passengers to danger by modifying code of train computer, while simultaneously claiming that Dragon Sector did not modify the code after reverse engineered it, in which case such action breaks the rule of EU Directive 2009/24/EC thus infringing on copyright of the software developed by Newag. As of August 2025 this lawsuit not yet reached the conclusion. | |||
==See also== | |||
{{Ph-C-SA}} | |||
==References== | |||
{{Reflist}} | |||
[[Category:{{PAGENAME}}]] | |||