Train Maker Sues Hackers For Exposing Dodgy Efforts To Make Train Repairs More Difficult
from the good-luck-with-that dept
Back in 2023 we wrote about how regional Polish rail company and a train manufacturer NEWAG had taken to using DRM to lock down trains that are repaired by independent technicians, in a bid to both monopolize — and drive up the costs of repair. This kind of effort to monopolize repair is common across numerous industries, driving an organic, grass roots “right to repair” reform movement.
The original story by 404 Media noted that NEWAG put code in their train’s control systems preventing them from running if a GPS tracker detected that it spent any time at an independent repair company, and if certain parts had been replaced without a manufacturer-approved serial number. Some independent companies responded by hiring a white hat hacking group dubbed Dragon Sector to bypass the DRM and get the trains running again.
Two years later and it sounds like NEWAG has taken all the wrong lessons from the experience.
The folks at iFixit note that the company has now sued both the Polish repair service SPS that fixed those original trains, and has also gone after the individual members of ethical hacking group Dragon Sector for helping them. NEWAG is looking for $1.7 million for copyright violations and “unlawful competition” in one court, and $1.36 million for unlawful competition and infringement of personal rights in another.
Like most unethical companies trying to monopolize repair, NEWAG tries to insist that this isn’t about making more money, but about the public’s safety. But iFixit notes that the company’s case has several major inconsistencies, including both claiming that the hacking group did and didn’t modify their software:
“Newag claims that the Dragon Sector team endangered passengers’ safety by modifying the software without proper experience. But Newag then turns right around and claims that Dragon Sector did not modify the software at all. They point out that EU law only allows reverse engineering of software in order to fix bugs. And if Dragon Sector did not actually modify the software, it cannot have fixed any bugs, in which case their reverse-engineering must be illegal.”
The Biden FTC under Lina Khan issued a report stating that such safety claims were almost always bullshit; a useful bogeyman used by companies trying to justify anti-competitive, anti-consumer behaviors.
The problem for companies like NEWAG is the harder they try to monopolize repair and bully independent repair shops, the greater public attention and animosity is. The greater public attention and anger becomes, the more likely companies are to see “right to repair” legislative reform forcing them to do what was the right thing in the first place.
Still, there’s no shortage of companies across a dozen different industries which seem to think it’s a good idea to try and monopolize repair through DRM, making parts and manuals hard to find, or engage in “parts pairing” that makes it impossible to simply replace individual “unsanctioned” parts.
Filed Under: consumers, copyright, dragon sector, drm, lawsuit, locomotives, parts pairing, poland, right to repair, trains
Companies: newag, sps
Comments on “Train Maker Sues Hackers For Exposing Dodgy Efforts To Make Train Repairs More Difficult”
I wonder how "bug" is defined
The rail company clearly thought that “won’t run after spending time at an independent repair yard” was a bug
Re:
The term is jargon, so the actual law probably didn’t use it at all.
You say “won’t run after spending time at an independent repair yard”, but I don’t think the repair people knew about that last part initially. Just that, for some unknown reason, the train’s software seemed to have stopped working properly.
This does not logically follow. “Reverse engineering in order to fix bugs” is a statement of intent, and does not require the people using that exception to actually fix any bugs. Maybe whoever hires the reverse-engineers changes their mind, or maybe they hand the report to some other contractor to make the changes.
Also, although “bug” often refers to an unintentional software defect specifically, there are more general definitions. Wikitionary says “8. (chiefly computing, engineering jargon) A problem that needs fixing.” The hackers did fix a problem that the train operator was having with their trains. It doesn’t matter that the software provider considers it a feature.
In complex systems, people often fix problems without actually fixing the root cause. For example, it’s illegal for trains in Switzerland to have exactly 256 axles. One might also call such things “work-arounds”, but a reliable work-around is a kind of fix.
Can we get Dragon Sector to go after John Deere next?
Re:
They’re a CTF group. You’d need to hire some of the individuals, or just support those already working on your target.
Or, set up your target John Deere software as a CTF event somehow, and invite them.
Re:
While Dragon sector might be able to tease out the meanings of JD’s diagnostic codes, that they’re reluctant to sharel I think overall JD is more of a wetware problem, it’s not that their code bricks your tractor, it’s that JD won’t let you have the parts or tools to fix it.
To solve that you might need actual dragons…
That’s why fighting against copyright absolutely relies on self sacrifice, an “I could be sent to jail for writing/publishing/fixing this but…” mentality that ultimately creates or remixes things that might actually benefit humanity. If I knew that something bad might happen to me as an individual for doing these illegal things yet there was a greater benefit to society for having done so, I’d be willing to break the law and suffer for it.
Actually, the hackers team has just flipped one bit of data (that was a counter that blocked the train), without touching the software (only extracting it to decompile and run it on a computer).
Most of the work was to find the geo-fencing that surrounded competitors, that was a lazy solution but pretty efficient.
But I guess the Newag contracts will soon end and they’re looking some legal way to force renewing them.
Re:
For those who want more detail, the Chaos Computer Club had a 2024 posting about how to help with legal fees. The hackers spoke twice (in English) at conferences run by this club:
– December 2023, Breaking “DRM” in Polish trains
– December 2024, We’ve not been trained for this: life after the Newag DRM disclosure
The notes for the second talk say that there have been parliamentary hearings and two criminal investigations related to Newag’s actions. So Newag might well need a scapegoat at this point.
R2R in EU?
This looks particularly shady for NEWAG. It’d be keen if the EU implements right-to-repair regulations in response to someone trying to DRM train engines.
Re:
Sure, it’s a good idea, but it’s also a little bit stupid. Cars, farm equipment, home appliances, consumer electronics—right-to-repair is helpful there, because the general public are not considered “sophisticated” buyers; they don’t know how to shop for “good” products, and they don’t learn how screwed they are until years later.
Trains, though, are basically only bought by groups who ought to know better. Often governments. They don’t need to wait for legislators; they can add right-to-repair and “no backdoor” conditions directly into their calls for tenders.
Re: Re:
Your estimation of the sophistication of buyers for this equipment wildly out of sync with reality. It’s entirely probably nobody with controls experience was consulted at all during the procurement process.
Further, I’d like to point out that governments are the ones that require a law for reverse engineering the most. Access to code is always an additional cost, and well documented and supported code is expensive. But it’s not something you need during the warranty or service period, so it’s the first thing in the chopping block when the public comes with its axe. And it always does. So it effect, if their isn’t a law or regulation requiring something in a public work bid, you government isn’t going to require it….no matter if it’s beat practices or not.
Re: Re: Re:
It was a statement that they should know better, not that they would.
This statement basically comes down to “we need to protect the government from itself, because the government is likely to be a little bit stupid otherwise”. And I agree with basically everything you wrote.
Re: Re: Re:2
No, I’m saying we need to protect our governments from the people.
Re: Re: Re:3
I always suspected there was some MAGAtry somewhere deep within you. Thanks for confirming it.
Re: Re: Re:4
MAGA are specifically the people I want to protect against.
And this is why all legal systems are a joke, and most lawmakers and judges would be better off gone.
That they all the corporate pill to turn “but software” into a legal law of the universe is a joke. I’m surprised tire companies haven’t added software to tire valves turning fixing a flat tire into an crime.
Re:
Well, there is software in the tire valves already. We just need the “crime”.
Now imagine if malware makers attacked security researchers, oh wait, NEWANG is a malware maker
Yes, I intentionally call them NE-WANG, after them putting a literal RANSOMWARE on public transit vehicles.
Sony could’ve done this to Mark Russinovich for exposing their DRM rootkit. Sue him for exposing their garbage and intrusive DRM.