Polish Train Manufacturer Newag Sues Hackers Who Exposed Anti-Repair Locks

Manufacturer Strikes Back With Multi-Million Dollar Lawsuits

Polish train manufacturer Newag has initiated legal proceedings against the ethical hacking group Dragon Sector and the independent repair shop Serwis Pojazdów Szynowych (SPS). The company is seeking a combined total of approximately $3 million in damages, alleging copyright infringement and unfair competition. This aggressive legal move follows the group's 2023 discovery of deliberate software mechanisms within Newag's Impuls trains that prevented third-party repairs.

The Technical Discovery

The controversy began when trains serviced by independent workshops began mysteriously immobilizing. Members of Dragon Sector were recruited to investigate the issue, uncovering a software "lockout" routine within the train's code.

The mechanism was initially designed to disable the train if it remained stationary for ten days, a parameter later updated to 21 days. Furthermore, the software utilized GPS geofencing to detect if a train was physically located near a non-authorized repair facility. In one notable glitch, a specific batch of trains would shut down while passing through the Mińsk Mazowiecki railway station due to these GPS restrictions, stranding passengers.

Monopoly on Maintenance

The investigation revealed a clear financial motive behind the digital restrictions. Reports indicate that Newag charged roughly 25,000 EUR per unlock prior to the hack being exposed. By preventing independent shops like SPS from servicing the fleet, Newag effectively sought to monopolize the annual $40 million service market for its Impuls trains.

Legal Contradictions and EU Law

Newag’s lawsuits present a contradictory narrative regarding the hackers' actions. The manufacturer claims the hackers endangered passenger safety by modifying software without authorization. Simultaneously, they argue that because the software was not actually modified, the reverse engineering was unnecessary and therefore illegal.

Legal experts suggest that European Union law generally favors reverse engineering for the purpose of interoperability and bug fixing. This stands in contrast to stricter regulations often seen in the United States, such as the Digital Millennium Copyright Act (DMCA). Despite the EU's generally pro-consumer stance regarding right-to-repair, Newag's lawsuit targets individual researchers, a move critics argue is intended to intimidate and suppress future scrutiny of corporate anti-repair practices.