Jump to content

Newag backdoor

From Consumer_Action_Taskforce
Revision as of 21:25, 1 April 2025 by NoGoodDeed (talk | contribs) (Update company logo)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Article Status Notice: This Article is a stub

Notice: This Article Requires Additional Expansion

This article is underdeveloped, and needs additional work to meet the wiki's Content Guidelines and be in line with our Mission Statement for comprehensive coverage of consumer protection issues. Issues may include:

  • This article needs to be expanded to provide meaningful information
  • This article requires additional verifiable evidence to demonstrate systemic impact
  • More documentation is needed to establish how this reflects broader consumer protection concerns
  • The connection between individual incidents and company-wide practices needs to be better established
  • The article is simply too short, and lacks sufficient content

How You Can Help:

  • Add documented examples with verifiable sources
  • Provide evidence of similar incidents affecting other consumers
  • Include relevant company policies or communications that demonstrate systemic practices
  • Link to credible reporting that covers these issues
  • Flesh out the article with relevant information

This notice will be removed once the article is sufficiently developed. Once you believe the article is ready to have its notice removed, visit the Discord (join here) and post to the #appeals channel, or mention its status on the article's talk page.

Newag S.A.
Basic information
Founded 1876
Type Manufacturer
Industry Rail
Official website https://www.newag.pl/


Newag S.A. (pronounced "nevag") is a publicly traded[1] Polish company based in Nowy Sącz that specializes in the production, maintenance, and modernization of railway rolling stock.[2] Their most notable products include: the families of electric locomotives Griffin[3][4] and Dragon,[5] as well as the Impuls family of multiple units.[6]

Anti-competitive practices[edit | edit source]

In 2022, a regional Polish train operator commissioned a third-party repair service - SPS - to complete maintenance on Impuls trains[7]. The repair service could not, however, bring the trains to move despite them being in working order. This, alongside accusations of "interfering with the trains' security systems"[8] by Newag caused a tarnishing of SPS's reputation.[9][7] In 2023, however, a group of Polish cybersecurity experts from Dragon Sector,[7][10] after being hired by SPS, disclosed findings that a number of lock-up mechanisms were placed in the trains' software.[11][12][13] These allegedly include:

  1. A "lack of movement timer", which would disable the train after it has not moved for a set amount of time.[14]
  2. Geofencing - the train would disable itself once it detects that it is in one of Newag's competitors' workshops.[15][16][17]
  3. Serializing the CAN bus extension device of the train, disabling it if a change in the CAN's serial number is detected.[18]
  4. A date check, which would cause the train to lock up if it was not serviced by Newag before the 21st of November 2022, claiming compressor failure.[19]

The geofencing mechanism has later been shown to allegedly be the cause of disruptions on a connection serviced by Impuls trains, having them disable themselves when passing near one of the geofenced locations.[16] The date check, meanwhile, was poorly implemented, and would only cause the train to be locked from 11/21 to 12/1 and from 12/21 to 1/1 each year after 2021.[19][20][21]

Newag firmly denies any claims of wrongdoing, releasing multiple statements[21] claiming the findings of Dragon Sector, as well as reports from media outlets, are "slander" from their competition, "which is conducting an illegal campaign of black PR against us."[22] Newag claims they "have not, do not and will not introduce" any software locks.[22] The statements also implied an attempt to "undermine Newag's market position".[21]

The investigation against Newag is still on-going.

References[edit | edit source]

  1. https://www.gpw.pl/company-factsheet?isin=PLNEWAG00012
  2. https://www.newag.pl/en/company/history/
  3. https://www.newag.pl/en/offer/griffin/
  4. https://twojsacz.pl/kolejne-lokomotywy-griffin-z-nowego-sacza-trafily-do-pkp-intercity/
  5. https://www.newag.pl/en/offer/dragon/
  6. https://www.newag.pl/en/offer/impuls/
  7. 7.0 7.1 7.2 https://badcyber.com/dieselgate-but-for-trains-some-heavyweight-hardware-hacking/
  8. https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=227
  9. https://www.youtube.com/watch?v=IXlYjgVpVIg
  10. https://dragonsector.pl/
  11. https://media.ccc.de/v/38c3-we-ve-not-been-trained-for-this-life-after-the-newag-drm-disclosure#t=691
  12. https://social.hackerspace.pl/@q3k/111528162462505087
  13. https://arstechnica.com/tech-policy/2023/12/manufacturer-deliberately-bricked-trains-repaired-by-competitors-hackers-find/?utm_source=chatgpt.com
  14. https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=1625
  15. https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=1713
  16. 16.0 16.1 https://media.ccc.de/v/38c3-we-ve-not-been-trained-for-this-life-after-the-newag-drm-disclosure#t=1293
  17. https://social.hackerspace.pl/@q3k/111528162462505087
  18. https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=1814
  19. 19.0 19.1 https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains#t=1891
  20. https://wiadomosci.onet.pl/kraj/skandal-na-kolei-pociag-newagu-stanal-bo-znowu-nadszedl-21-grudnia/41mdspf?utm_source=www.qwant.com_viasg_wiadomosci&utm_medium=referal&utm_campaign=leo_automatic&srcc=undefined&utm_v=2
  21. 21.0 21.1 21.2 https://www.rynek-kolejowy.pl/wiadomosci/impuls-zepsul-sie-z-powodu-21-grudnia-mamy-stanowisko-newagu--116695.html
  22. 22.0 22.1 https://www.railjournal.com/fleet/newag-comes-out-fighting-in-claims-over-foul-play/
Retrieved from "https://consumerrights.wiki/index.php?title=Newag_backdoor&oldid=12409"