Skip to main content

Songs on the Security of Networks
a blog by Michał "rysiek" Woźniak

Newag admits: Dragon Sector hackers did not modify software in Impuls trains

This piece has been written for and originally published in Polish by OKO.press.

When attributing, please attribute to: "Michał 'rysiek' Woźniak, Fundacja Ośrodek Kontroli Obywatelskiej „OKO”", and include a link to the original piece on OKO.press website.

Wednesday, August 28th, marked the beginning of the copyright infringement lawsuit filed by the Polish train manufacturer Newag against train maintenance yard Serwis Pojazdow Szynowych and experts from the Dragon Sector group, who revealed weird software locks in Impuls-series trains. The company demands almost six million Polish złotys (about 1.4mln EUR) compensation. Surprisingly, it also admits that the hackers did not modify software in on-board controllers.

In late 2023 Onet and Zaufana Trzecia Strona wrote about Impuls multiple-unit trains that were rendered inoperable. I wrote about this for OKO.press in December that year. For years Newag-manufactured trains experienced suspicious breakdowns, becoming inoperable often after maintenance performed by third-party maintenance yards like Serwis Pojazdów Szynowych (SPS).

SPS had employed hackers, embedded systems experts, to analyze the software installed on on-board controllers. Their analysis indicates intentionally implemented software blockades, locking the trains up under specific conditions. These conditions seem to have been selected such that the trains would lock up after going through maintenance in independent maintenance yards.

These conclusions were deemed trustworthy by the Polish Computer Emergency Response Team.

The hackers were able to unlock the affected trains. They also provided explanations on how they managed to do that, and why Impuls-series trains were locking up in the first place.

Newag’s denial

Newag strongly denies implementing the locking functions.

The company does not, however, offer any convincing explanation of how the locking functionality found its way into Impuls-series trains, used by several different train companies all around Poland – and why only these trains seem to be affected. “We have 23 different vehicle types and we have only experienced this with these particular trains” – said Piotr Wakuła, director of operations and technical bureau at Koleje Mazowieckie train company, while speaking at a parliamentary meeting in February this year.

Newag also refuses to answer how exactly were its technicians able to unlock the locked up trains. I asked the company’s spokesperson and received a non-answer: “Our actions amounted to restoring integrity of these systems (diagnostics, verification, and validation).” I asked for a more detailed explanation but received no response.

The “diagnostics, verification, and validation” phrase was also frequently used by Newag representatives during parliamentary committee meetings on the subject; it did not satisfy the train companies nor members of the Parliament.

Instead of providing clear explanations, the company sued Dragon Sector hackers and SPS maintenance yard over alleged copyright infringement. Newag also demanded that the Internal Security Agency (ABW) “puts under special surveillance” everyone who attended the Oh My Hack! conference, where members of Dragon Sector had presented a talk on their findings.

How did the locking code get into the software?

A few months ago I had asked Newag how did the locking code, described in Dragon Sector experts’ analysis, get into the software installed on Impuls trains controllers. In his response the company’s spokesperson, Łukasz Mikołajczyk, questioned this code even existed:

“We do not have any knowledge about the locking code, as reported in the media, ever existing. (…) We can only stress one more time that in the source code we have such functionality does not exist.” – I read in his response, dated April 4th.

Just a few paragraphs later in the same document Newag’s spokesperson unsubtly implies that the locking code might have been added to the software in Impuls trains by Dragon Sector experts themselves:

There is a theory according to which SPS Mieczkowski decided to deal with the difficulty of not having access to technical specification by some other means and hired hackers so that maintenance opreations can be finished without buying a license from NEWAG.

If that were the case it would mean that the hackers broke into Impuls trains’ software even though they did not have access to the source code, and not knowing the system well enough they introduced software changes that caused the trains to „go crazy”.

I have asked repeatedly whose theory this is and if according to Newag specialists from Dragon Sector implemented the locking functionality in software. I have not received a response to this day. But Newag did publish similar claims in their statement of December 2023:

According to our assessment the truth might be completely different – that is, for example, that our competitors tampered with the software. We have notified law enforcement about this. This is not the first time we notify law enforcement that our software is modified without our authorization.

And yet Newag’s copyright infringement suit states that:

No modified Software was installed as part of actions undertaken [by experts from Dragon Sector]

Why the sudden change of heart?

The C‑13/20 decision

From the very start of the whole Impuls-series trains affair their manufacturer insists that Dragon Sector experts infringed upon the company’s copyrights related to the software installed on trains’ controllers. They had to copy the software off of the controllers’ non-volatile memory and then decompile it for analysis, for which neither they nor the SPS maintenance yard had a license from Newag.

Copyright law does however allow reverse engineering of software in specific situations. This has been confirmed by the C-13/20 decision issued by the Court of Justice of the European Union in the Top System case. That case also involved alleged copyright infringement related to decompiling of software in order to fix errors.

The Court decided that:

…the lawful purchaser of a computer program is entitled to decompile all or part of that program in order to correct errors affecting its operation, including where the correction consists in disabling a function that is affecting the proper operation of the application of which that program forms a part.

And that in such a case getting a license for that from the software vendor is not required.

By admitting that Dragon Sector specialists did not modify the software installed on Impuls-series trains Newag is trying to claim that they have not “corrected errors” in that software, and thus the C-13/20 decision is not relevant to the case.

“DS [Dragon Sector] established that the cause of 45WE Impuls Vehicles locking up allegedly was a parameter held in the memory of the Selectron Controller. After modifying its value it was possible to unlock 45WE Impuls Vehicles. This is not a repair, as no error was identified” – the suit reads.

“Neither DS nor SPS performed any ‘repair’ of NEWAG IP Software”

“Neither DS nor SPS indicated any errors in NEWAG IP Software.”

Since the software was not “repaired”, it follows – according to Newag – that “decompiling of the software was not necessary to unlock 45WE Impuls Vehicles.” And since it was not necessary, the actions performed to unlock the trains did not meet the criteria set in the C-13/20 decision, and thus constituted infringement of software vendor’s copyright.

Different kinds of memory

At the same time Newag keeps repeating that specialists hired by SPS “tampered with the control system”, suggesting that this might be somehow dangerous. How does that square with claims that they did not modify the software installed in the trains’ controllers?

Controller units used in Impuls-series trains have three types of memory:

  • FLASH
    this is where the binary code of software and the operating system running on the controller is stored;
  • NVRAM
    holds the settings and other data that needs to be preserved even if power is lost;
  • RAM
    volatile memory that holds data needed by the software while it is running; the data is held there as long as the controller is powered on.

This layout is not in any way special. Memory architecture of a home WiFi router looks basically the same.

When such a device gets rebooted, data in RAM is lost, but settings in NVRAM and software in FLASH are preserved. When we change settings in the user interface, variables stored in NVRAM are being modified, but no changes are made to software installed in FLASH.

In order to unlock the locked Impuls trains Dragon Sector hackers modified specific variables in NVRAM. So they did “tamper with the control system”. However, they did not make any modifications to software in FLASH, simply because that would require full recertification of the new software version before the trains were legally allowed on public tracks.

If unlocking a train required modifying the software itself – for example, when the condition that triggered the lock relied on the current date instead instead of values stored in NVRAM – the train was left unfixed. This was the case with 31WE-015, which locks itself up twice annually, on 21st of November and on 21st of December; it then unlocks itself on 1st of December and 1st of January.

Mental gymnastics

Newag’s line of reasoning is a case of pretty fraught mental gymnastics

First of all, how were Dragon Sector hackers supposed to “identify errors” in software, if their analysis showed that the locking functionality in Impuls-series trains was implemented intentionally?

Secondly, this line of reasoning bases on a very narrow interpretation of the term “repair”. From the perspective of train operators the Impuls-series trains that locked-up were obviously “broken”; unlocking meant that they were “repaired” – even if that repair happened not to require modifications of software installed on the controller units in these vehicles (instead relying on changing some values stored in NVRAM).

And finally, Newag claims that since there was no need to modify the software itself (as modifying values in NVRAM was sufficient), it was not necessary to decompile the software. That’s like claiming that since fixing our car required fastening one small screw it was not necessary to understand how the whole engine works. But how are we to know which screw to fasten without such understanding?..

This is certainly not the only line of reasoning used by Newag in the suit agains the experts and SPS – full analysis of 160 pages of it is a job for lawyers. I am only focusing here on aspects that touch on technical issues.

Unanswered questions

One important question remains unanswered though – at least by Newag. Why did Impuls-series trains lock up in the first place? Why does 31WE-015 become inoperable between November 21st and December 1st, and then again between December 21st and January 1st?

Experts from Dragon Sector provided a coherent, believable, and data-supported explanation: the software installed in controllers of these trains contains locking functionality that kicks in under specific conditions. For example in 31WE-015 these conditions have to do with the current date, and they just happen to match the dates of the planned maintenance by an independent yard, which was scheduled for November 2021.

In other cases locking conditions involved GPS location of the vehicle falling within specific areas – which again just so happened to cover the areas of independent maintenance yards.

The train manufacturer meanders and evades. On one hand, the company claims that they know nothing of any locking functionality in the software (“in the source code we have such functionality does not exist”). On the other, it implies that this functionality was implemented by Dragon Sector hackers themselves. Then finally admits that the hackers did not modify the software on the trains (and thus could not be the ones who implemented the locking functionality in the first place).

In their “white paper” Newag states that:

When tampering with the control systems, the hackers knew they are committing copyright infringement against NEWAG group, due to warnings being displayed by the system.

I asked the company’s spokesperson about the conditions that would lead to such warnings being displayed. In response I received a statement saying that “we do not know the conditions as we are not the authors.”

So, to summarize:

  • company’s spokesperson had no problem whatsoever with stating categorically that the source code of the software used in Impuls-series trains does not contain any locking functionality;
  • but he is not able to specify under what conditions copyright infringement warnings are displayed;
  • even though Newag itself referred to them in their statements.

Based on available information it seems that these copyright infringement warnings were displayed when the train was moving even though one of the conditions of the locking functionality was satisfied – namely, not having moved for more than 21 days.

The system that manages the displays in the engineer’s cabin is separate from controllers onto which the software that contained locking functionality was deployed. In theory the train manufacturer could have implemented the warning without having a clue about the locking functionality.

But if Newag – as the company claims – had nothing to do with that locking functionality, why should the fact that the train is not locked-up even though one of the conditions for that is met be indicative of copyright infringement? And how did the condition in both of these separate systems end up being identical: 21 days of being stationary?..

And finally, if the locking functionality ended up in the Impuls-series train controllers software without the knowledge and consent of the manufacturer, one would expect the company to work closely with hackers from Dragon Sector in order to uncover, as fast as possible, who, when and how installed the modified software on the vehicles’ controllers. After all, on multiple occassions Newag has stressed how badly this whole affair reflects on the company, and how it negatively impacts its stock price.

Instead of working together to clear all of this up, the company sues the experts, demanding millions in compensation.

SLAPPing the experts?

“Based on the media description of the case it seems that we might be talking about a so-called SLAPP – a strategic lawsuit aimed at curtailing public debate.” – I am told by Krzysztof Izdebski, a lawyer working for Stefan Batory Foundation.

The way this works is that people who identify and publicize irregularities are hit with a lawsuit by an entity that had a hand in causing the irregularities, aimed at creating a chilling effect affecting the sued parties, but also anyone else who might be willing to follow their lead.

“EU has recently adopted a directive which is supposed to offer protection from such actions” – Izdebski notes – “The preambule mentions that »as a result of such proceedings, the publication of information on a matter of public interest could be delayed or prevented altogether«”.

It is in public interest interest that journalists and civil society watch this case closely and verify if it indeed is a case of SLAPP and an attempt to curtail freedom of expression and the right to truth.

During the first hearing, Newag requested that the whole trial be made non-public. The judge rejected that request.

Necessary licenses

The notorious affair with Impuls-series trains underscores one more issue: the necessity of securing sufficient licenses related to any software that is used for delivering any kind of public service (including public transport).

Today, software is a crucial element of most devices we use daily, including means of transport. It is unacceptable that vendor’s copyright makes it harder to establish a cause of a train becoming inoperable, and makes it illegal for the train operator or a contractor hired by them to fix it! It’s unfathomable that experts who made the analysis and unlocked the vehicles are now forced to deal with a lawsuit claiming they did not have a suitable software license.

From the perspective of passengers and train operators the copyright issue is completely secondary to the question of who implemented the locking functionality in the trains that carry thousands of people on a regular basis, and were purchased using public funds. And to the question of how quickly can they be unlocked and return to normal operation.

One possible solution here is to require that software that is an element of systems or devices funded by public money is released under a free software license, with its source code available. Or at the very least require that organizations that operate devices and systems funded with public money also receive full documentation, source code, and license that explicitly permits modification of that software, including by third parties contracted to do so.

Not only would that remove legal uncertainty and the threat of lawsuits in such cases, but it would also simplify security audits. And, it would allow independent third parties to develop such software further (including fixing bugs) – even if the original vendor is long out of business or simply not interested in continuous development of software for older devices.