A leash of Polish aegis advisers affirmation to accept begin that trains complete by Newag SA accommodate software that sabotages them if the accouterments is serviced by competitors.
Newag, a Polish alternation maker, absolutely denied that it installed such software in a statement [PDF, Polish] issued Wednesday, advertence any issues to alien hackers.
The rolling banal and engineering business insists its software is actual and that it did not architecture the trains' programming argumentation to abort beneath specific conditions, as has been claimed. "This is a aspersion from our competition, which is administering an actionable atramentous PR attack adjoin us," it protested.
Jakub Stępniewicz, Sergiusz Bazański and Michał Kowalczyk – associates of Dragon Sector, a Polish aegis hacking aggregation who go by the names q3k, mrtick, and redford appropriately – were assassin in May 2022 by Serwis Pojazdów Szynowych (SPS), an absolute alternation aliment firm, to attending into problems with Newag Impuls 45WE trains.
SPS bid for and won a arrangement to advance the trains, assault Newag, according to Polish industry advertisement Rynek Kolejowy.
SPS again encountered difficulties application the rolling banal afterward a software lockout. According to Bazański (q3k), the trains bound up for no aboveboard acumen afterwards actuality serviced in third-party workshops. He wrote in a thread on Mastodon that the manufacturer, Newag, argued that these third-party adjustment shops were amiss and that the architect should be application its own trains.
The aegis advisers about-face engineered the train's electronics and, in August 2022 begin the train-stopping faults appeared to be not a blemish – but a feature.
"We begin that the PLC [programmable argumentation controller] cipher absolutely absolute argumentation that would lock up the alternation with artificial absurdity codes afterwards some date, or if the alternation wasn't active for a accustomed time," Bazański wrote. "One adaptation of the ambassador absolutely absolute GPS coordinates to accommodate the behavior to third-party workshops."
They additionally claimed to accept begin an undocumented key aggregate in the berth controls that would alleviate the trains. On Tuesday, the advisers discussed their allegation at the Oh My H@ck conference in Warsaw, Poland.
The accepted allocution was documented by infosec biographer BadCyber, to whose anniversary the hacking leash referred The Register. They are additionally advancing a added abundant presentation they intend to bear at the 37th Chaos Communication Congress in Hamburg, Germany, at the end of the month.
CERT Poland accepted to The Register that the aggregation had appear their allegation and that the cyber aegis agency had alerted accordant authorities. That was added than a year ago, and The Register understands that the advancing abridgement of action is partly what motivated the advisers to go accessible with their findings.
Janusz Cieszyński, Poland’s above abbot of agenda affairs, has back explained on amusing media that the admiral of Newag contacted him to say that the close had been victimized by cyber criminals. Cieszyński added that the appraisal he saw appropriate otherwise. ®