Jump to content

Newag backdoor

From Consumer Rights Wiki

Article Status Notice: This Article is a stub

This article is underdeveloped, and needs additional work to meet the wiki's Content Guidelines and be in line with our Mission Statement for comprehensive coverage of consumer protection issues. Learn more ▼

Newag S.A.
Basic information
Founded 1876
Type Manufacturer
Industry Rail
Official website https://www.newag.pl/


Newag S.A. (pronounced "nevag") is a publicly traded[1] Polish company based in Nowy Sącz that specializes in the production, maintenance, and modernization of railway rolling stock.[2] Their most notable products include: the families of electric locomotives Griffin[3][4] and Dragon,[5] as well as the Impuls family of multiple units.[6]

Anti-competitive practices[edit | edit source]

In 2022, a regional Polish train operator commissioned a third-party repair service - SPS - to complete maintenance on Impuls trains[7]. The repair service could not, however, bring the trains to move despite them being in working order. This, alongside accusations of "interfering with the trains' security systems"[8] by Newag caused a tarnishing of SPS's reputation.[9][7] In 2023, however, a group of Polish cybersecurity experts from Dragon Sector,[7][10] after being hired by SPS, disclosed findings that a number of lock-up mechanisms were placed in the trains' software.[11][12][13] These allegedly include:

  1. A "lack of movement timer", which would disable the train after it has not moved for a set amount of time.[14]
  2. Geofencing - the train would disable itself once it detects that it is in one of Newag's competitors' workshops.[15][16][17]
  3. Serializing the CAN bus extension device of the train, disabling it if a change in the CAN's serial number is detected.[18]
  4. A date check, which would cause the train to lock up if it was not serviced by Newag before the 21st of November 2022, claiming compressor failure.[19]

The geofencing mechanism has later been shown to allegedly be the cause of disruptions on a connection serviced by Impuls trains, having them disable themselves when passing near one of the geofenced locations.[16] The date check, meanwhile, was poorly implemented, and would only cause the train to be locked from 11/21 to 12/1 and from 12/21 to 1/1 each year after 2021.[19][20][21]

Newag firmly denies any claims of wrongdoing, releasing multiple statements[21] claiming the findings of Dragon Sector, as well as reports from media outlets, are "slander" from their competition, "which is conducting an illegal campaign of black PR against us."[22] Newag claims they "have not, do not and will not introduce" any software locks.[22] The statements also implied an attempt to "undermine Newag's market position".[21]

The investigation against Newag is still on-going.

References[edit | edit source]

  1. https://www.gpw.pl/company-factsheet?isin=PLNEWAG00012
  2. https://www.newag.pl/en/company/history/
  3. https://www.newag.pl/en/offer/griffin/
  4. https://twojsacz.pl/kolejne-lokomotywy-griffin-z-nowego-sacza-trafily-do-pkp-intercity/
  5. https://www.newag.pl/en/offer/dragon/
  6. https://www.newag.pl/en/offer/impuls/
  7. 7.0 7.1 7.2 https://badcyber.com/dieselgate-but-for-trains-some-heavyweight-hardware-hacking/
  8. https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=227
  9. https://www.youtube.com/watch?v=IXlYjgVpVIg
  10. https://dragonsector.pl/
  11. https://media.ccc.de/v/38c3-we-ve-not-been-trained-for-this-life-after-the-newag-drm-disclosure#t=691
  12. https://social.hackerspace.pl/@q3k/111528162462505087
  13. https://arstechnica.com/tech-policy/2023/12/manufacturer-deliberately-bricked-trains-repaired-by-competitors-hackers-find/?utm_source=chatgpt.com
  14. https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=1625
  15. https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=1713
  16. 16.0 16.1 https://media.ccc.de/v/38c3-we-ve-not-been-trained-for-this-life-after-the-newag-drm-disclosure#t=1293
  17. https://social.hackerspace.pl/@q3k/111528162462505087
  18. https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=1814
  19. 19.0 19.1 https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=1891
  20. https://wiadomosci.onet.pl/kraj/skandal-na-kolei-pociag-newagu-stanal-bo-znowu-nadszedl-21-grudnia/41mdspf?utm_source=www.qwant.com_viasg_wiadomosci&utm_medium=referal&utm_campaign=leo_automatic&srcc=undefined&utm_v=2
  21. 21.0 21.1 21.2 https://www.rynek-kolejowy.pl/wiadomosci/impuls-zepsul-sie-z-powodu-21-grudnia-mamy-stanowisko-newagu--116695.html
  22. 22.0 22.1 https://www.railjournal.com/fleet/newag-comes-out-fighting-in-claims-over-foul-play/
Retrieved from "https://consumerrights.wiki/index.php?title=Newag_backdoor&oldid=12409"