Service station engineers turned to hackers for help in solving the problem.
In Poland, an unusual problem was encountered: a train made by the local company Newag suddenly stopped working during maintenance. The experts were confused – the train was fine, but its engine wouldn't start. In desperation, the experts turned to the Dragon Sector hackers, who found something that the engineers did not even know about.
The story begins in the spring of 2022, when the first of Newag's eleven Impuls 45WE trains operated by the Polish railway carrier Koleje Dolnośląskie (KD) ended its service. The service was provided by Serwis Pojazdów Szynowych (SPS), which won the tender for servicing trains after passing 1,000,000 kilometers. However, after the assembly, the train did not start, and no one could understand why.
The situation worsened when other trains began to fail after maintenance. Soon after the issue was reported to the media, the Dragon Sector team was called out, having achieved success in CTF (Capture The Flag) competitions. Team members Michal Kowalczyk and Sergiusz Bazanski, known for their hacking skills, and Kuba Stepnevich, a specialist in industrial automation, set about solving the problem.
Troubleshooting process
The team found that the train computers were based on the TriCore architecture common in the automotive industry, but there was a shortage of good disassemblers. After many hours of analysis and reverse Engineering, it turned out that the GPS coordinates pointing to the maintenance locations of Newag competitors were protected in the code. The computer disabled the ability to start the train if it spent at least 10 days in one of the specified service stations.
GPS of permitted and prohibited service stations
The team also found a device signed as a "UDP<->CAN converter", which apparently allowed remote interaction with the train. Deleting the device did not cause any crashes. The analysis showed that the on-board computer sent information about the blocking status to the device, and the device itself was connected to a GSM modem. This discovery raised even more questions about the manufacturer's safety and ethics.
The news that the SPS maintenance center managed to repair the "broken" Newag trains quickly reached the media and other companies. As a result, the software of 29 Impuls trains across the country was analyzed, and in all but 5, surprises were found that went beyond the official operating instructions.
Such surprises included blocking the train when replacing one of its components (confirmed by a serial number). It was also discovered that the lock can be removed using the appropriate sequence of button presses in the cabin and on the on-board computer screen. Another train was found to have a code telling it to "break down" after traveling 1 million kilometers. Each problem was solved using a specially designed tool that removes software locks from the on-board computer.
The situation aroused considerable public interest and attracted the attention of law enforcement agencies. Despite the fact that legal proceedings are already underway, it is not yet known whether any actions will be taken by the relevant authorities.
A representative of the Office of Rail Transport (UTK) is aware of the situation and has checked the information about the software analysis carried out, and also cooperates with the relevant services on this issue. Together with CERT Polska (CERT PL), a meeting with the train manufacturer was organized. It is noteworthy that the vehicles comply with the main requirements of the European directives.
In Poland, an unusual problem was encountered: a train made by the local company Newag suddenly stopped working during maintenance. The experts were confused – the train was fine, but its engine wouldn't start. In desperation, the experts turned to the Dragon Sector hackers, who found something that the engineers did not even know about.
The story begins in the spring of 2022, when the first of Newag's eleven Impuls 45WE trains operated by the Polish railway carrier Koleje Dolnośląskie (KD) ended its service. The service was provided by Serwis Pojazdów Szynowych (SPS), which won the tender for servicing trains after passing 1,000,000 kilometers. However, after the assembly, the train did not start, and no one could understand why.
The situation worsened when other trains began to fail after maintenance. Soon after the issue was reported to the media, the Dragon Sector team was called out, having achieved success in CTF (Capture The Flag) competitions. Team members Michal Kowalczyk and Sergiusz Bazanski, known for their hacking skills, and Kuba Stepnevich, a specialist in industrial automation, set about solving the problem.
Troubleshooting process
The team found that the train computers were based on the TriCore architecture common in the automotive industry, but there was a shortage of good disassemblers. After many hours of analysis and reverse Engineering, it turned out that the GPS coordinates pointing to the maintenance locations of Newag competitors were protected in the code. The computer disabled the ability to start the train if it spent at least 10 days in one of the specified service stations.
GPS of permitted and prohibited service stations
The team also found a device signed as a "UDP<->CAN converter", which apparently allowed remote interaction with the train. Deleting the device did not cause any crashes. The analysis showed that the on-board computer sent information about the blocking status to the device, and the device itself was connected to a GSM modem. This discovery raised even more questions about the manufacturer's safety and ethics.
The news that the SPS maintenance center managed to repair the "broken" Newag trains quickly reached the media and other companies. As a result, the software of 29 Impuls trains across the country was analyzed, and in all but 5, surprises were found that went beyond the official operating instructions.
Such surprises included blocking the train when replacing one of its components (confirmed by a serial number). It was also discovered that the lock can be removed using the appropriate sequence of button presses in the cabin and on the on-board computer screen. Another train was found to have a code telling it to "break down" after traveling 1 million kilometers. Each problem was solved using a specially designed tool that removes software locks from the on-board computer.
The situation aroused considerable public interest and attracted the attention of law enforcement agencies. Despite the fact that legal proceedings are already underway, it is not yet known whether any actions will be taken by the relevant authorities.
A representative of the Office of Rail Transport (UTK) is aware of the situation and has checked the information about the software analysis carried out, and also cooperates with the relevant services on this issue. Together with CERT Polska (CERT PL), a meeting with the train manufacturer was organized. It is noteworthy that the vehicles comply with the main requirements of the European directives.
