Hacker who deactivated train manufacturer's 'only in-house repair' mechanism faces lawsuit


by Marcin Szala Pudelek

It has been revealed that three members of a hacker group that solved the incident in which a large number of unexplained malfunctions occurred in trains manufactured by Polish railway vehicle manufacturer

Newag have been sued on both criminal and civil grounds by Newag. Chaos Computer Club, a hacker group that supports its members, is calling for support for legal fees and other expenses.

CCC | They have not been trained for this
https://www.ccc.de/en/updates/2024/das-ist-vollig-entgleist



We've not been trained for this: life after the Newag DRM disclosure - 38C3

https://events.ccc.de/congress/2024/hub/en/event/we-ve-not-been-trained-for-this-life-after-the-newag-drm-disclosure/

The lawsuit is filed against q3k (Serzsiusz Bazanski) and others of the hacker group 'Dragon Sector.' q3k and others investigated the series of failures of Newag-made vehicles on Polish railways since the spring of 2022 and discovered that Newag had embedded code in its software that disrupted the stable operation of the vehicles and required repairs at its own factory.

Record of a hacker who hacked and restored the system of a train that could not run - GIGAZINE



q3k and his colleagues presented how they broke through Newag's mechanism at the hacker event '37C3.'

Breaking 'DRM' in Polish trains - media.ccc.de

https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains



A new lecture was held at '38C3'. The lecture video is available at the following link.

Relive: We've not been trained for this: life after the Newag DRM disclosure – 38C3: Illegal Instructions Streaming

https://streaming.media.ccc.de/38c3/relive/233cb1d4-4833-5384-aeee-d99344433e0b



According to q3k and his colleagues, Newag was equipped with functions such as 'detection of non-operating state,' 'serial number check,' 'location check,' 'operation date check,' and 'composite private key for unlocking.'



The matter was reported to the authorities, but no action was taken for some time.



Therefore, the facts will be made public in December 2023.



This also led to its announcement at '37C3'.



After participating in various workshops following the announcement, the Polish railway operator

Polregio told them that they had paid Newag 23,000 euros (approximately 3.74 million yen) per train to unlock the trains, that it took Newag only 10 minutes to unlock the trains, and that they had not explained to them what the problem was or how they had unlocked the trains.



The authorities have reportedly raided Newag's premises, but have not yet filed a lawsuit against Newag. Meanwhile, Dragon Sector is being sued by Newag along with the Polish Rail Car Service, which asked the authorities to check the vehicles.

The first lawsuit was filed by Newag's IP management subsidiary for 'unfair competition and intellectual property infringement,' and it demands a payment of up to 1.3 million euros (approximately 211 million yen), a public apology, and that Newag take no further action regarding the Impuls vehicle. The other lawsuit was filed by Newag SA, the main body of Newag, for 'unfair competition and violation of personal rights,' and it demands that Newag stay quiet about the case.

For this reason, the full technical report on this matter will only be made public once the litigation has been resolved.

According to Chaos Computer Club, by the end of 2024, there had been 330 transfers totaling 19,176.03 euros (approximately 3.12 million yen).

Related Posts:

in Software,   Vehicle,   Video, Posted by logc_nt