badcyber.com
Some were also rigged to fail after a certain date or beyond a certain mileage.
Some were also rigged to fail after a certain date or beyond a certain mileage.
Jump in the discussion.
No email address required.
Notes -
The repair stuff could make sense if they are liable for something like catastrophic failures, you really wouldn't want a someone else cheaping our on a repair in that case.
Then they either genuinely forget about this when the maintainance contract goes to someone else or they "forget" about it.
The shutdown after X hours could also make sense as a security measure. IE. It should be impossible to drive the train for that long without mandatory maintenance.
As far as I understand it this is fairly common practice with heavy machinery these days and it isn't secret.
These kinds of things could explain why polish authorities have been so anemic in their response.
It could very well be that all this is nefarious and illegal but it could also be at least partially a mistake or ineptitude on the part of Newag. One shouldn't underestimate the extreme incompetence in IT of the management team in these kinds of companies. There was a major it security scandal in 2019 in Sweden where ~200k recorded calls to the state Health advicory service had been publicly available and the CEO of the company providing the product clearly had no idea how computers worked, never mind his own product. He made some famous statements claiming that someone had connected an "internet cable to the harddrive" (not possible, and it's not called an internet cable), he also said you needed a special "command movement to slip in the back door" (I can not emphasize enough how ridiculous this sounds in Swedish), which you of course didn't.
Some coder at some point might have done this due to some vague instructions from techicnally incompetent managers, it got documented poorly or the management forgot this even existed even if documentation did.
this contract was intentionally constructed to decouple servicing overhaul and train construction, with manufacturer obligated to provide full servicing documentation
they lied, sabotaged train and tried to sabotage companies competing for servicing overhaul tender
they were caught by hackers hired by one such sabotaged company (with first hard proof delivered 43 minutes before servicing contract would be broken by train company)
Newag continues to lie and try to blame others.
Yes, and there are indicators of this. But none of them reduce that all this is nefarious and hopefully illegal.
Trains were programmed to falsely report being broken down after specific date, or after specific number of mileage or after being repaired at repair yards run by competition.
This was not documented, Newag lied about it when asked and continues to lie.
Newag was nefariously sabotaging competition.
I realise all that. I'm saying that the reasoning for why this exists might not be nefarious or even intended to sabotage competition.
That might be possible but it's not stated anywhere in the article. The only mention of communication with Newag is when they stated that the breakdowns was due to a "safety system" which could very well be correct.
The issue isn't that they lied, it's that they failed to communicate what this security system was or how to disable it. This is just glossed over but seems very important.
It could be due to incompetence or malice, or some combination. I'm saying that the existence of these kinds of systems doesn't necessarily imply intentional industrial sabotage. Regardless, they clearly failed to live up to their contractual obligations.
What I'd be interested in is a more detailed explanation of these systems, and the systems in other trains they aren't servicing themselves. Is this a generalised system or tailor-made for each train/competitor? The article isn't clear on this but it seems like a fairly important detail. If it's the latter then intentional industrial sabotage seems like a given, if it's the former it is plausible that it could be due to incompetence and/or poor routines.
I'd also like to know more about what Newag has said and what happened in the communication between the two companies.
The lack of this information and the limited response from Polish authorities makes me suspicious.
Newag claims that this system does not exist, and if exist it was added by competition and it is not their fault.
Obviously, competition sabotaging repair service done not be Newag seems quite unlikely. Not sure why they went with this idea.
it was in some later articles, including some Polish ones and their PR releases
https://www.newag.pl/wp-content/uploads/2023/12/Oswiadczenie-NEWAG-06.12.2023.pdf
They are claiming they never introduced software that simulated failures and if it existed it was added by competition.
They demand withdrawal from service trains that were analysed, threaten legal action against SPS and people who analysed software.
it was a not a security system
Thanks for the added context. If what you say is true then it sounds like a pretty open and shut case.
https://youtube.com/watch?v=XrlrbfGZo2k CCC publication is making situation quite clear, even if they do not take final step (because it is not fully 100% provable and they will likely end as witnesses in court cases, and what is clearly provable is damming anyway)
spicier bits include Newag making software changes to specific trains, two/three days before being send to be repaired at workshop of their competition ( https://youtube.com/watch?v=XrlrbfGZo2k&t=2369 ), not mentioning software updates in paperwork, train predicted to break down at specific date (due to bug in sabotage code) and then doing this...
overall great presentation, though quite technical (presented at hacking conference)
Very interesting. Thank you!
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link