back to article Polish train maker denies claims its software bricked rolling stock maintained by competitor

A trio of Polish security researchers claim to have found that trains built by Newag SA contain software that sabotages them if the hardware is serviced by competitors. Newag, a Polish train maker, emphatically denied that it installed such software in a statement [PDF, Polish] issued Wednesday, attributing any issues to …

  1. An_Old_Dog Silver badge

    John Deere-ism Goes International

    John Deere-ism (noun): using hardware and/or software to lock out competing parts or service providers.

    1. Francis Boyle

      or in this case

      Deerailment.

      1. Someone Else Silver badge
        Happy

        Re: or in this case

        Ooooh, nice!

        1. Tom Paine

          Re: or in this case

          Don't encourage him, he'll only do it again.

          1. The Dogs Meevonks Silver badge
            Trollface

            Re: or in this case

            Unless you make him lose his train of thought and he goes off the rails.

            1. FIA Silver badge

              Re: or in this case

              Wooo! I thought the puns had been sidelined! But I've taken stock, and it seems like they're still rolling in, just a bit late.

              1. Ken Moorhouse Silver badge

                Re: Wooo!

                Don't you mean Chugga-chugga-whoo-whoo?

                I've upvoted you so you can feel chuffed.

                thereg will have to increase it's mail storage if we have this debate:-

                https://6abc.com/chugga-choo-train-debate-reddit/5210454/

                1. The Oncoming Scorn Silver badge
                  Coat

                  Re: Wooo!

                  That takes some ballast to leave sleeper code & these puns are points* less.

      2. cyberdemon Silver badge
        Facepalm

        Re: or in this case

        Oh Deere oh Deere..

      3. sanmigueelbeer

        Re: or in this case

        How to drop a Deere in it's tracks.

    2. Anonymous Coward
      Anonymous Coward

      Re: John Deere-ism Goes International

      Cough, cough, Apple

      1. Jon 37

        Re: John Deere-ism Goes International

        You buy an Apple, you know what you're getting. And Android is an alternative.

        (I mean, I agree that you should be able to service it. I think what Apple do is wrong. But it shouldn't be unexpected, and you have alternatives to show you don't like it).

        A farmer buys a tractor, or a train operator buys a train, they expect to be able to service it.

        1. Anonymous Coward
          Anonymous Coward

          Re: John Deere-ism Goes International

          A farmer buys a tractor, or a train operator buys a train, they expect to be able to service it where the manufacturer says they are allowed. Nothing new under the sun, really.

          1. jgarbo
            Facepalm

            Re: John Deere-ism Goes International

            Right. Read the fine print. Don'tlike it; don't buy it. Finish. "Oh, I thought my Ferrari could go off-road too, it's so expensive..." No, Kevin, that needs a Jeep.

            1. An_Old_Dog Silver badge
              Flame

              Collusion [was: John Deere-ism Goes International]

              @jgarbo: Read the fine print. Don't like it; don't buy it. That statement presumes the potential buyer has effective alternative choices. Right now, in some, possibly many, countries, a potential buyer has no effective alternative. Down in the U.S., home of John Deere, the market is carved up by the farm equipment companies into exclusive territories [which is illegal collusion]. John Deere, Case, International Harvester [the former two now merged into "Case IH"], New Holland, Allis-Chalmers [out-of-business?], Caterpillar, and Massey Ferguson each had/have their agreed-upon turfs.

              Just try to get a repair tech from Company A over into territory of Company B: you'll be waiting a very long time, be charged incredibly stiff fees, and while you are waiting, your crops will be rotting in the fields.

              This all is a non-issue to agri-business; they pay the jacked-up John Deere [or whomever's] repair and parts fees, and pass that on to their own customers. The small farmer doesn't have the economic power to do that.

            2. The Dogs Meevonks Silver badge

              Re: John Deere-ism Goes International

              This assumes that the buyer is entirely aware that the fine print doesn't contain full explanations of hidden software/hardware lockouts and what they will do.

          2. CoolKoon

            Re: John Deere-ism Goes International

            Let's just say that that's most definitely NOT the way things work with trains and other big, state-operated machinery and equipment. In fact it's quite possible that Newag management might face criminal prosecution after all of this.

        2. FIA Silver badge

          Re: John Deere-ism Goes International

          You buy an Apple, you know what you're getting.

          You're getting a device they make it hard to repair, but not a device that they will arbitrarily brick if you take it to another repair shop.

          This would be like Apple using the GPS in the phone to brick a phone if it's spent time in a non Apple repair shop.

          1. Muscleguy

            Re: John Deere-ism Goes International

            Also Apple gear, at least the older stuff lasts a long time. Typing this on a 2016 MacBook pro using an iPod touch with a screen smut (which still works despite) as a music player.

  2. gotes

    It's a politically motivated witch hunt!

    Paraphrasing Newag's statement.

    1. Someone Else Silver badge

      Re: It's a politically motivated witch hunt!

      I didn't know tRump was a member of Newag's board.

      Although, given their behavior and public statements, one shouldn't be surprised...

  3. EricM
    Facepalm

    Hackers entering GPS coordinates of OEM repair shops to prevent trains from failing?

    Yes, sounds completely plausible....

    1. Cris E

      Re: Hackers entering GPS coordinates of OEM repair shops to prevent trains from failing?

      As paragons of administrative integrity and most forms of rule-following, hackers *hate* third party support! Everyone should know this.

    2. low_resolution_foxxes

      Re: Hackers entering GPS coordinates of OEM repair shops to prevent trains from failing?

      It's a fucking hilarious excuse really

      It makes me reconsider every time I hear a CEO mention cyber criminals and hacking.

      "Hackers cracked our software and updated it so that it only stops working if the customer gets their maintenance tasks performed in our commercial rivals garage".

      Hackers can be a strange breed, but hacking a PLC to provide such a specific feature, that also happens to have a direct and major commercial benefit to the OEM?

      Oh please!

      1. Lon24

        Re: Hackers entering GPS coordinates of OEM repair shops to prevent trains from failing?

        True. But if you were the errant CEO caught on cctv with his knickers down - what better excuse could you invent? I'm struggling to find a better one ... as I'm sure their PR/creative team did until the dog eat it.

        1. I am the liquor

          Re: Hackers entering GPS coordinates of OEM repair shops to prevent trains from failing?

          The alternatives would be "honest mistake, accidentally pressed 'release to production' instead of 'delete' on experimental code written purely for research purposes"; or throw a "rogue engineer" under the bus with the "a few bad apples" excuse. Though the latter didn't go so well for VW.

          1. Anonymous Coward
            Anonymous Coward

            Re: Hackers entering GPS coordinates of OEM repair shops to prevent trains from failing?

            Though the latter didn't go so well for VW.

            That was mainly in the states where they are a foreign company. An action in Germany/Europe was likely forced upon them by the publicity - I doubt we'd have heard about it if it was limited to home soil.

            Depending on the size of the manufacturer in its home country of Poland there may be a little more forgiveness. An executive will probably have to take a golden parachute though.

          2. CoolKoon

            Re: Hackers entering GPS coordinates of OEM repair shops to prevent trains from failing?

            Unfortunately (for them that is) the way this is blowing up means that the first option is out of question as well.

        2. ske1fr
          Trollface

          Re: Hackers entering GPS coordinates of OEM repair shops to prevent trains from failing?

          I'm sorry, I read that as PRo/Creative. It was the knickers down.

      2. Anonymous Coward
        Anonymous Coward

        Re: Hackers entering GPS coordinates of OEM repair shops to prevent trains from failing?

        Plot twist- the hackers were hired by the CEO.....

    3. Tom Paine

      Re: Hackers entering GPS coordinates of OEM repair shops to prevent trains from failing?

      ...also inserting an undocumented control combo that, when held down, resets the whole system. Gosh, those pesky hoodie-wearing kids, what WILL they get up to next? Perhaps they'll add code to brick the whole train once the next model comes out.

  4. Andre Carneiro

    It’s astounding that they would do it in the first place but did they seriously think nobody was going to take a really good look at the code once trains started failing for no good reason?

    1. Andy The Hat Silver badge
      Coat

      Perhaps but nobody would understand it if it was written in reverse polish ...

      1. KittenHuffer Silver badge
        Coat

        In reverse Polish if it was written, understand nobody would!

        FTFY!

        -------------> The one worn backwards mine is!

        1. Blazde Silver badge
          Happy

          Oh you're Krakówing me up

          1. bemusedHorseman
            Facepalm

            Oj pierdolemy nie...

        2. An_Old_Dog Silver badge
          Happy

          Old HP T-Shirt

          [Enter] > [=]

          This from the Great Calculator Wars of the 1970s~1980s. Somewhere in my lost printouts I have Pascal code I wrote, implementing prefix-, infix-, and postfix parsers.

      2. Anonymous Coward
        Anonymous Coward

        They'd certainly have to double czech.

        1. David 132 Silver badge

          OK, who else Warsaw that one coming?

      3. Antron Argaiv Silver badge
        WTF?

        I'll just point out that the Poles were the first to crack the German Enigma.

        Well done, guys. Someone has some 'splainin' to do...

        1. jgarbo
          Boffin

          Correction. Not the whole nation, as you imply, but one woman, Marian Rejeweski,

          1. claimed Silver badge

            Are you sure Marian was a woman? Always love to dig out these unsung females to share with my niece but in this case Wikipedia appears to refer to Marian as a man

          2. Anonymous Coward
            Anonymous Coward

            Oh mate, it really helps your credibility as a troll/shill if you know what you're talking about, Rejewski was a man.

      4. jgarbo

        Wouldn't help. They're still Poles, you know...

    2. Lurko

      "It’s astounding that they would do it in the first place but did they seriously think nobody was going to take a really good look at the code once trains started failing for no good reason?"

      In a word, yes. That's exactly what they thought. And the apparent lack of action by Polish authorities suggests that a few brown bags have changed hands as well.

      Don't overlook the fact that the expertise to examine code at this level isn't normally available to the businesses that make and service big heavy hardware like trains, and the normal thinking would be "gawd, it's gone wrong agaaaain! That's the fiftieth time with some random error code. It'll be something deep in the electronics or wiring, we'll never find it. Let's send it back to the makers and pay them to fix it".

      1. Kristian Walsh Silver badge

        I wouldn’t be surprised if the impetus to employ the security researchers was a story from someone who had worked in Newag and had heard rumours of such a kill-switch. Railway vehicle servicing is not a big field, and people move between companies.

        I didn’t check, but I had a sinking feeling that a diligent searcher would find numerous links between executives at Newag and key figures in PiS (the political party that until the recent election had a stranglehold on power in Poland). PiS is an amazingly corrupt organisation, even by the standards of populist parties, and Poland is well rid of them.

      2. AVee

        "It'll be something deep in the electronics or wiring, we'll never find it. Let's send it back to the makers and pay them to fix it".

        According to the story that nearly happened...

        1. Anonymous Coward
          Anonymous Coward

          Lets order new trains from the same people and hope they work better than these ones...

      3. Antipode77

        Now that the new Polish governmemt has thrown out the old Polish government we will see some action on resolving this issue.

        Must have been some corruption going on.

    3. Yorick Hunt Silver badge

      The timed expiry or "time bomb" is (or at least was) a common trick employed by programmers who suspected they'd be shown the door as soon as a project's finished - the company would have to call the programmer back months/years after the fact to fix things, of course at painful "consulting" rates.

      1. elsergiovolador Silver badge

        There was no need for that since Java was invented. Just create enough layers of abstraction so that any replacement developer gets lost after going 7 levels deep.

        1. AdamWill

          But then *you* have to remember how the monstrosity you created works, too...

          1. Someone Else Silver badge

            That's why you save the commented version on "removable storage" that is ... removed ... before the end of the project. The uncommented version is checked in.

          2. Anonymous Coward
            Anonymous Coward

            There’s a factory for that ….

        2. Tom Paine

          Seven, you say?

          _Seven?!_

          *hysterical mad laughter

          https://twitter.com/DominoTree/status/1732794464027242618

    4. martinusher Silver badge

      >did they seriously think nobody was going to take a really good look at the code once trains started failing for no good reason?

      Yes because under the DMCA what those researchers did was illegal. "Oh", you'd say, "but isn't that an American law?". Yes, well, sort of -- there's a tendency for American laws to be applied globally so if this isn't subject to that or a similar law then its a product management screwup. Maybe they thought that the T&Cs that came with the product would prohibit reverse engineering and that would be enough to at least shift the blame.

      Its a bit bold faced to do this sort of thing to a train. Those things are large, expensive and generally the sort of product that would attract attention when it failed for no apparent reason. But it begs the question as to why this sort of thing isn't illegal -- and also just how many other products are deliberately hobbled like this. (Anyone remember Microsoft and CP/M-86?)

      1. arctic_haze

        EU is going to ban such shenanigans for the most known example, namely printers:

        https://ecostandard.org/news_events/after-much-ink-spilt-the-eu-is-about-to-crack-down-on-made-to-break-printers/

        But it is obvious that we need a general solution.

        1. cyberdemon Silver badge
      2. renke

        EU and US law are distinct and different, it is highly unlikely that a Polish company felt safe just because a law on the other side of the pond forbids decompiling* (not even sure if this is actually the case, I think the DMCA is not quite as broad). If I had to guess it was hubris and arrogance leading to the inclusion of the additional code blocking competitors, similar to VW and Dieselgate (similar, not identical. Newag wanted to hinder others repairing the trains, VW wanted to minimize the cost for emission control).

        *) for SPS and the Polish hackers directive 2009/24/EC article 5 seems to be relevant, combined with this EU court judgement saying that yes, decompiling IS legal for finding and fixing bugs. one could discuss "lawful acquirer" but imo the chain is fine: The rail service provider bought the trains (surely with the right to use the on-boad software) and subcontracting the maintenance (where the subcontractor also has to use the software embedded in the train) cannot be forbidden, I think.

        1. Anonymous Coward
          Anonymous Coward

          It was that Jan, the rogue engineer who used to work for VW, Valujet ...

      3. gnasher729 Silver badge

        This isn’t covered by DMCA at all. Just like Lexmark wasn’t protected by DMCA. They are not copying anything that is protected by copyright.

        1. trindflo Silver badge

          DMCA

          I could see why you would think something with "Copyright Act" in the title would only apply to violating copyrights, but the law made it an offense to reverse-engineer anything at all. One programmer was arrested at a US airport for writing a program that could "crack" ROT13 that was used in an application as security. Ah yes, here it is: Adobe and Sklyarov

          1. hayzoos

            Re: DMCA

            It is also because of DMCA that carrier unlocking a smartphone required an exception granted by the Library of Congress.

            There were a number of technological "protections" which are considered for exceptions that are NOT providing protections to a copyrighted work.

      4. CoolKoon

        "there's a tendency for American laws to be applied globally" - While that's true, not even the disgustingly anti-competitive DMCA forbids reverse engineering in cases like this.

        "But it begs the question as to why this sort of thing isn't illegal" - It kinda is. The managers who ordered this ugliness might be charged with the felony of disrupting state infrastructure, which carries a light jail time in many parts of Europe, probably Poland too.

        "Anyone remember Microsoft and CP/M-86?" - While I do hate all the shenanigans of Micro$oft it's still a private corporation and it didn't disable any government resources with their petty tricks. Which can't be said about this thing.

    5. david1024

      Malicious Compliance?

      Malicious Compliance?

      Dunno, Europe was the place where the diesel engine emissions hacks came from too. (Or were at least the first ones caught).

      Maybe the corp officers just aren't as smart as they think they are and the coders are just letting nature take it's course.

    6. Anonymous Coward
      Anonymous Coward

      Given the IT knowledge of most execs they likely thought the ruse would never be discovered. Just because you can't read it doesn't mean someone else can't.

    7. Antipode77

      After all buying a new train isn't exactly cheap.

  5. John Sager

    A good write-up

    This has appeared on Hacker News.

    1. Someone Else Silver badge
      Thumb Up

      @ John Sager -- Re: A good write-up

      Thank you for the link. Great write-up!

  6. Ken Moorhouse Silver badge

    Disappointed

    Not a single mention of buffer overflows.

    Commentards: you should be ashamed of yourselves for such a lapse.

    1. Blue Pumpkin

      Re: Disappointed

      Not even Ruby on Rails …

    2. David 132 Silver badge

      Re: Disappointed

      Clearly we're all a bunch of sleepers with one track minds.

      1. Tim99 Silver badge

        Re: Disappointed

        Unless this is stopped it will become a permanent way of doing business.

    3. Tom Paine

      Re: Disappointed

      This comment has been delayed due to a shortage of drivers. We apologist for the inconvenience.

  7. Julz

    After

    Reading the BadCyber article, this would appear to be rather more serious than 'just' not allowing third party maintenance. The trains would seem to have been sabotaged knowingly by the manufacturer. Surely this is a criminal mater.

  8. Anonymous Coward
    Anonymous Coward

    If you expect products to last, then products should come with warranties that you can use.

    When purchasing items require it to come with* a warranty** for an extended period of time, and be prepared for it to only work that long.

    *If you have to purchase it separately it means the manufacturer doesn't fully trust it.

    **Be sure to know how to use it too.

    1. hayzoos

      Re: If you expect products to last, then products should come with warranties that you can use.

      Well built products do not need warranties. I have a clothes dryer built long ago, before the internet. Parts to repair it are still available. I have replaced... motor, heating elements (twice), rear drum bearing (thrice), front drum glides, drive belt (twice), lint catching screen. It still does its job. It has no electronics. It does not spy.

      I have other products in similar states. If they had warrantees, they long expired. I have replaced newer poorly designed appliances that failed with older used ones which can be repaired.

      1. Tom Paine

        Re: If you expect products to last, then products should come with warranties that you can use.

        Where'd you get the parts for something that old?!

      2. cosymart
        Big Brother

        Re: If you expect products to last, then products should come with warranties that you can use.

        Google "Triggers Broom" :-)

        1. John H Woods

          Re: If you expect products to last, then products should come with warranties that you can use.

          or what it's based on - "Ship of Theseus"

      3. legless82

        Re: If you expect products to last, then products should come with warranties that you can use.

        The irony here is for what it costs in electricity to run, you could probably buy a brand new heat pump-based dryer every 18 months

      4. Mike007 Bronze badge
        Coat

        Re: If you expect products to last, then products should come with warranties that you can use.

        Just need to replace the frame and the outer panels and you'll have yourself a philosophy puzzle.

  9. Tom Paine

    Bleep -- bleep THIS VEHICLE IS REVERSING -- bleep -- bleep

    Airbrakes go TSHSHSHshshsh.

    Cab door opens. Driver emerges with docket.

    "Hi, got a 40 ton load of salt here, can you sign for it please?"

    1. Lord Elpuss Silver badge

      Re: Bleep -- bleep THIS VEHICLE IS REVERSING -- bleep -- bleep

      What?

      1. CoolKoon

        Re: Bleep -- bleep THIS VEHICLE IS REVERSING -- bleep -- bleep

        I think it was a reference to Newag management being salty over their tricks being discovered. But I think that they actually are scared shitless, because this is something they can land them in jail.

  10. Anonymous Coward
    Anonymous Coward

    How long before the whistleblowers get punished?

    Shooting the messenger is generally the way these things work due to the vested interests of corporations or the State.

    :/

    1. CoolKoon

      Re: How long before the whistleblowers get punished?

      While that's true, this has blown up so big already (it made international news after all) that in no way would they make it even worse by attempting to punishing the hackers, especially now that the previous quasi-Nazi government of Poland has been replaced by its former opposition.

  11. CoolKoon

    This will go with a bang

    If the evidence will stand in court then Newag who did this will be in a sea of pain and those who ordered this might face criminal prosecution even. And no letters/press releases about imaginary hackers will help them. If this happened in the US it'd be an average Tuesday instead, corporations are almost untouchable there.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like