They’re putting DRM in trains, now: Hired hackers Dragon Sector take to the Chaos Communication Congress stage and explain how they caught a manufacturer red-handed

You wouldn’t download a train—but you might conceivably want to repair one. Those worries have led to a massive controversy in Poland, as train manufacturer Newag has come under fire for likely adding DRM-style protection to stop its vehicles from being repaired at competitor facilities.

As laid out by Notes from Poland, the manufacturer’s trains had inexplicably come to “a standstill in several places in Poland”. Not only did they stop working after competitors attempted to repair them, one inexplicably bricked itself on November 21, 2023. More on that later.

A company named SPS Mieczkowski received fines from a rail operator when it failed to repair one of Newag’s trains. It decided to then make privateers out of pirates, hiring a collective of hackers called Dragon Sector. Speaking with Onet, one such hacker Michał Kowalczyk said: “We discovered the manufacturer’s interference in the software, which led to forced failures.”

Newag has naturally been denying the accusations, though the evidence seems damning. As reported by Gizmodo, three hackers affiliated with Dragon Sector took to the stage of the Chaos Communication Congress (a hacker convention dedicated to discussing cybersecurity, privacy, and the like) to share their findings. 

In the talk “Breaking DRMS in Polish Trains”, the team stated it was “100% sure” it was in the right, and that “it’s Newag that should be scared, not us.” 

“One of the most common in the trains we investigated is what we call ‘lack of movement’ or ‘idle timer’,” explains Jakub Stępniewicz, who goes by the alias MrTick. He explains that if a train doesn’t move at least 60km/h for at least three minutes for more than 10 days, it’ll permanently lock. However—MrTick says there were false positives, and that when the trains were stationary for servicing “it was enough to trigger the lock.”

To ‘fix’ this, the manufacturer extended the time to 21 days, then added “geofencing” to cause it to lock if it stayed in certain locations, which just so happened to be the main competitors of Newag. One of the locations was even a SPS Mieczkowski workshop—you know, the company that was fined because it couldn’t repair a Newag train? Oh no.

(Image credit: The Chaos Computer Club / Dragon Sector)

As for the mystery bricks on November 21: “We also had a very nice date check in one of the trains … the train was supposed to be serviced on the 21st of November 2021.” If you’ve been following along, you might be wondering: ‘hold on, didn’t the train break in 2023’? That’s because (as the hackers reveal) the code actually instructs the train to lock down between November 21-30 and December 21-31.

(Image credit: The Chaos Computer Club / Dragon Sector)

“This is on one train,” says Sergiusz Bazański (alias q3k). “That train is now famous, because it did indeed break on the 21st of December this year. But don’t worry, New Years? It’ll run just fine.”

The entire talk is a journey through a comedy of errors—one that’s eerily familiar. We’ve all seen horrific levels of DRM applied to games that impact performance, tacked on in haphazard ways that harm the player such as infamous resource-hog Denuvo. The only issue is: these are trains, not video games, and the consequences are a little more severe.

It’s also not the first time we’ve seen this kind of thing happen outside of gaming. In August of 2022, a hacker jailbroke a DRM-laden tractor and then ran Doom on it—thwarting John Deere’s remote bricking systems. In July of the same year, BMW also introduced microtransactions to its cars. Only $18 a month to heat your seats, what a steal.

Advertisements

Leave a Reply

Your email address will not be published. Required fields are marked *