Jump to content

2023 Newag Impuls software locks

From Consumer Rights Wiki

2023 Newag Impuls software locks were routines built into Newag Impuls electric trains that disabled the trains after they were serviced at third-party workshops, leaving them unable to move even though nothing mechanical was wrong.[1][2] The Polish security collective Dragon Sector traced the shutdowns to code hidden in the trains' onboard controllers between 2022 & 2023: GPS geofences drawn around competitors' repair sites, a timer that disabled a train left standing for a set number of days, component serialization over the CAN bus, & a date-based routine that faked a compressor failure.[1][3] Newag denies installing any lock, calls the findings defamatory,[4] & in August 2024 sued the repair firm & the researchers who published them.[5][3][6]

Background

[edit | edit source]

Newag S.A. is a publicly traded Polish manufacturer of railway rolling stock based in Nowy Sącz, & the Impuls is its family of electric multiple units.[7][8][1]

In 2022, the independent maintenance firm Serwis Pojazdów Szynowych (SPS Mieczkowski) took in Koleje Dolnośląskie Impuls units for scheduled overhauls, & the trains refused to start once the work was finished even though nothing was mechanically wrong.[9][1] SPS hired the Polish security collective Dragon Sector, & three of its members, Michał "Redford" Kowalczyk, Sergiusz "q3k" Bazański, & Jakub "MrTick" Stępniewicz, reverse engineered the trains' programmable logic controllers.[10][1]

Software locks in the Impuls control system

[edit | edit source]

Decompiling the controller code, Dragon Sector documented several conditions written into the software that would disable a train.[11][1] The locks left no error on the cabin screen. The train read as ready, released its brakes on command, & then refused to engage its traction motors.[1][12][13]

Pseudocode of the geofence check published in the Zaufana Trzecia Strona investigation, showing the hardcoded coordinate pair 53.13845 and 17.99011 that pins a workshop next to competitor PESA in Bydgoszcz.[1]

GPS geofences around competitor sites

[edit | edit source]

One controller held hardcoded GPS coordinates. One pair, 53.13845 & 17.99011, resolves to a site next to Bydgoszcz Główna station used by the competing manufacturer PESA, & a train that came to rest inside such a geofence was blocked from moving.[1]

Days-stationary timer

[edit | edit source]

A separate routine disabled any unit that had stood still for at least 10 days. After Dragon Sector unlocked the first trains & returned them to service, a later Newag firmware update raised that threshold to 21 days while leaving the mechanism in place.[1][3]

Parts serialization over the CAN bus

[edit | edit source]

The software paired components by serial number over the CAN bus, so swapping a failed part for an identical working unit triggered a lock.[1]

Date-based compressor fault

[edit | edit source]

One version of the code reported a false fault in the auxiliary compressor when the day reached the 21st or later in November or December of 2021 or any following year. Because the compressor raises the pantograph that draws power from the overhead line, the fake fault left the train unable to move.[1] A different version was written to report a failure after the unit had run 1,000,000 kilometers.[1]

Undocumented unlock sequence and remote signaling

[edit | edit source]

Dragon Sector found that an undocumented sequence of button presses in the cab cleared a lock. A later Newag update removed that sequence, left the lock logic in place, & added cabin messages warning of a copyright violation.[11][1] One controller was wired to a GSM modem through a device labeled a UDP to CAN converter that broadcast the lock state, which Bazański said appeared able to lock a train remotely.[11][1]

Dragon Sector analyzed the software of 29 Impuls units, 13 of them in Wrocław, & found lock routines in all but five, on trains run by carriers including Koleje Dolnośląskie, Koleje Mazowieckie, POLREGIO, the Szczecin fleet, & SKM.[1][12] The team presented the technical analysis at the 37C3 congress in December 2023 & returned a year later to detail the legal fallout at 38C3.[13][14]

Newag's response

[edit | edit source]

Newag denies installing any lockout, geofence, or timer, & describes the reports as slander from competitors.[4][12][15] Its public position is that the software was altered without authorization by a third party.[4] After the findings were published on December 5, 2023, Newag's share price fell by as much as 17% before closing the day down about 6%, & the company said the report amounted to manipulation of its share price.[15]

Regulatory and criminal investigations

[edit | edit source]

The President of Poland's Office of Competition & Consumer Protection (UOKiK), Tomasz Chróstny, opened an explanatory proceeding on December 7, 2023, at the request of Razem party members of parliament Paulina Matysiak & Adrian Zandberg, to examine whether Newag restricted competition in the market for train servicing.[16][12] The Regional Prosecutor's Office in Kraków opened a separate criminal investigation, & in 2024 prosecutors & police searched Newag's headquarters to secure records.[12][17]

Lawsuits

[edit | edit source]

Claims

[edit | edit source]

In August 2024, Newag began legal action against SPS & the Dragon Sector researchers, seeking damages for copyright infringement, unfair competition, & harm to its reputation.[5][3][6] The claims were split across two courts, one seeking about $1.7 million & the other about $1.36 million.[6] Newag's filing bases the copyright claim on the researchers decompiling its train software rather than on any change to the code.[5][3]

Rebuttal

[edit | edit source]
A page from Newag's copyright suit quoting the company's filing that no modified software was installed as part of the researchers' work, contradicting its public claim that competitors had tampered with the software.[5]

Newag's public account holds that a third party altered the Impuls software, but its own court filing states that "No modified Software was installed as part of actions undertaken".[5] iFixit noted that Newag argues at once that the researchers endangered passengers by modifying the software & that they did not modify it at all.[3]

Outcome

[edit | edit source]

iFixit & Techdirt framed the suits as Newag targeting the people who exposed the locks, & the researchers detailed the litigation & their legal defense in their 38C3 talk.[3][6][14] As of August 2025 the litigation remained ongoing.[6]

Right to repair significance

[edit | edit source]

iFixit & Techdirt covered the case as a right to repair dispute, describing Newag's use of software locks & copyright claims to make independent repair of the Impuls fleet harder.[3][6] iFixit wrote that the copyright claim rests on the researchers reverse engineering the train software.[3]

See also

[edit | edit source]

References

[edit | edit source]
  1. 1.00 1.01 1.02 1.03 1.04 1.05 1.06 1.07 1.08 1.09 1.10 1.11 1.12 1.13 1.14 1.15 Haertle, Adam (5 Dec 2023). "O trzech takich, co zhakowali prawdziwy pociąg a nawet 30 pociągów" [About three guys who hacked a real train, and even 30 of them]. Zaufana Trzecia Strona (in polski). Retrieved 8 Jul 2026.
  2. "Manufacturer deliberately bricked trains repaired by competitors, hackers find". Ars Technica. Archived from the original on 5 Nov 2025. Retrieved 1 Mar 2026.
  3. 3.0 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 "Polish Train Maker Is Suing the Hackers Who Exposed Its Anti-Repair Tricks". iFixit. 28 Jul 2025. Archived from the original on 2 Mar 2026. Retrieved 1 Mar 2026.
  4. 4.0 4.1 4.2 "Newag comes out fighting in claims over foul play". International Railway Journal. Archived from the original on 16 Feb 2026. Retrieved 1 Mar 2026.
  5. 5.0 5.1 5.2 5.3 5.4 Woźniak, Michał. "Newag admits, Dragon Sector hackers did not modify software in Impuls trains". rys.io. Archived from the original on 3 Jul 2026. Retrieved 8 Jul 2026.
  6. 6.0 6.1 6.2 6.3 6.4 6.5 Bode, Karl (19 Aug 2025). "Train Maker Sues Hackers For Exposing Dodgy Efforts To Make Train Repairs More Difficult". Techdirt. Retrieved 8 Jul 2026.
  7. "Company factsheet". GPW. Archived from the original on 7 Apr 2026. Retrieved 1 Mar 2026.
  8. "Company history". Newag. Archived from the original on 20 Jan 2025. Retrieved 1 Mar 2026.
  9. "Dieselgate but for trains, some heavyweight hardware hacking". Bad Cyber. Archived from the original on 22 Feb 2026. Retrieved 1 Mar 2026.
  10. "Polish train maker denies claims it geofenced trains to force use of its repair shops". The Register. Retrieved 8 Jul 2026.
  11. 11.0 11.1 11.2 Bazański, Sergiusz (5 Dec 2023). "I can finally reveal some research I've been involved with over the past year or so". Warsaw Hackerspace Social (Mastodon). Retrieved 8 Jul 2026.
  12. 12.0 12.1 12.2 12.3 12.4 "Newaggate, antitrust and law enforcement authorities to investigate the case". RollingStock. 20 Dec 2023. Retrieved 8 Jul 2026.
  13. 13.0 13.1 Bazański, Sergiusz; Kowalczyk, Michał (27 Dec 2023). "Breaking "DRM" in Polish trains". media.ccc.de. Chaos Computer Club. Retrieved 8 Jul 2026.
  14. 14.0 14.1 "We've not been trained for this, life after the Newag DRM disclosure". media.ccc.de. Chaos Computer Club. 28 Dec 2024. Archived from the original on 16 Jan 2026. Retrieved 1 Mar 2026.
  15. 15.0 15.1 "Polish manufacturer accused of programming failures into its trains to gain more servicing business". Notes from Poland. 6 Dec 2023. Retrieved 8 Jul 2026.
  16. "UOKiK wszczął postępowanie w sprawie Newagu" [UOKiK opened a proceeding in the Newag case]. Rynek Kolejowy (in polski). 18 Dec 2023. Retrieved 8 Jul 2026.
  17. "Tajemnicze awarie pociągów Newagu. Prokurator z policją weszli do siedziby spółki" [Mysterious Newag train failures. A prosecutor and police entered the company's headquarters]. Rzeczpospolita (in polski). Retrieved 8 Jul 2026.