I have summarised the whole fiasco from
this summary of a talk delivered by the hackers at "Oh My Hack" (in Polish):
There was a tender put out for the servicing of a fleet of 45WE Newag trains operated by Koleje Dolnoslaskie (KD). Newag and another company, SPS, put tenders in. Newag's bid was 3m zl above SPS's tender, so SPS won. After the first train went through this tender, it refused to work. The same happened to the second, third and fourth trains put through the servicing regime. SPS decides to call in hackers, "Dragon Sector", to investigate, because up to that point Newag refused to help KD, stating that it was an SPS issue.
At this point, KD has to introduce an emergency timetable with rail replacement buses because the entire KD 45WE fleet (consisting of the longest trains in KD's fleet) was out of service. KD ultimately is forced to ask Newag to fix the trains, but KD wouldn't commit to terminating the SPS contract for another week to give SPS one last shot. During that week, the hackers try desperately to get the train to start, setting fire - literally - to the on board computer in the process. About 45 minutes before a KD representative was due to arrive to confirm whether the contract should be terminated, the hackers manage to start the train. KD decide not to terminate the contract with SPS and do not send the trains to Newag.
The hackers discovered that there was a geolocation check in the code, which disabled the train if it spent more than 10 days within the bounded region. SPS's servicing facility and PESA's (largest train builder in Poland, state owned) servicing facilities, amongst others, were allegedly included. There was another train with code instructing it to fail once it hit 1,000,000 km travelled distance, and another instructing the train to fail with a compressor fault on November 21st 2021 (however the code to cause this fault was not written correctly, and so it occurred in 2022). They also discovered devices on board and in depots labelled "UPD<->CAN converter" - but removing this device from the train didn't do anything. It is alleged that it was a device that sent the "lock status" of the train to Newag, as it had a GSM modem.
By this point, there is a lot of media attention on the situation (after all, an emergency timetable is in place). Once the first train was "fixed" by the hackers, Newag seemed to move quickly and disabled the method the hackers were using to "fix" the first train through a software update. This was made obvious when a train, which Newag thought should be disabled, was moving and so the train showed an error message informing the driver of a moving train that violation of copyright law is illegal (referring to the way the hackers reverse-engineered the software).
The Polish Rail Regulator, UTK, published a statement, translated below:
Newag fervently deny all of this, and has today called for UTK to revoke the certificates of any "hacked" trains claiming that they are unsafe and that hacking trains is illegal (despite SPS having a valid certificate for overhauling and servicing trains). Their stocks crashed -17% when markets opened today. Newag is planning to take all parties involved to court.
There may be errors in how I have translated the whole situation, as at the moment the exact extent of the situation is not clear. I may have missed some bits too.
badcyber.com
www.404media.co
notesfrompoland.com
