Whitehat hackers are vital for companies, large to small, but what if some businesses fail to grasp the significance of ethical hacking?
In a recent cybersecurity incident, three Polish hackers achieved success in repairing the malfunctioning software of a train, initially serviced by independent repair shops for a regional rail operator.
However, the narrative took a twist when accusations arose against the manufacturer, Newag, alleging that they remotely rendered inoperable trains serviced by the Polish train repair company, SPS. That’s not all, reportedly, Newag is threatening the hackers with a lawsuit.
The practice of remotely disabling or “bricking” products serviced by third-party entities is not unfamiliar, as major tech companies, such as Apple, adopt similar measures to safeguard revenue streams.
While we don’t want to get overly religious or emotional, it’s an undeniable fact that Whitehat hackers, also known as ethical hackers or cybersecurity researchers, are nothing short of a blessing. Numerous cases exist where ethical hackers have saved companies from devastating hacks.
Further, take, for instance, this whitehat hacker who went the extra mile to unlock a car for a family that lost their keys. And let’s not forget the notorious WannaCry ransomware attack, which was successfully thwarted by a whitehat hacker, while cybersecurity and technology giants remained clueless. However, Newag’s response to the event highlights a notable lack of understanding of cybersecurity on their part.
The issues surrounding Newag’s Impuls series of trains, which are operated by independent entities, have been ongoing since the summer, adversely affecting customer service. These trains exhibited mysterious failures, refusing to restart after routine maintenance. To unravel the mystery behind these disruptions, SPS enlisted the expertise of Dragon Sector, a group of ethical hackers.
Insights from Dragon Sector reveal a concerning aspect of Newag trains’ software programming in Poland. According to the ethical hacking group, Newag’s trains were equipped with a unique feature that triggered a software lockdown if they remained stationary for more than 10 days.
Regardless, the complexities of Newag’s software go beyond mere inactivity, extending to a sophisticated mechanism that activates when a train parks at specific GPS locations.
Remarkably, these preset GPS locations align strategically with independent repair shops spread across Poland. This means that the software lockdown could be initiated not only based on the duration of inactivity but also when a train is parked at designated locations, which happen to coincide with indie repair shops.
A noteworthy revelation is that at least one of these predetermined GPS locations included a repair shop still in the construction phase at the time when the programming details came to light. This raises questions about the intention and scope of Newag’s software lockdown strategy, as it appears to extend beyond the straightforward goal of preventing prolonged inactivity.
One of Dragon Sector’s hackers, Michał Kowalczyk, stated that this issue seems deliberate from Newag. “Today we are sure that it was a deliberate action on Newag’s part. We discovered the manufacturer’s interference in the software, which led to forced failures and to the fact that the trains did not start,” Michał claimed.
Zaufana Trzecia Strona, a Polish language IT security news website also reports that repair countermeasures would activate if parts were replaced without a hidden unlock sequence in the train’s computer. Additionally, codes would shut the train down after one million kilometres, and hardware could allow remote interaction with Newag trains.
Newag, Poland’s oldest railway company, denies accusations and blames SPS for initiating a conspiracy theory. The company now demands the repaired trains be removed from service immediately, claiming they had been “hacked” and might be unsafe.
Newag claims the story is slander from competitors and threatens to sue Dragon Sector. The company believes it to be an attack on independent repair, which has become a controversial issue pitting consumers and companies like Apple, John Deere, and many across the car industry against each other. Right-to-repair is combated through proprietary software and encryption that the company can only read.
Lower Silesian Railways, a rail operator, has been in a dispute with Newag, which produces its Impuls 45WE hybrid multiple units. In June 2022, the railroad experienced multiple no-start failures with these trainsets, resulting in fewer trains running than scheduled and impacting passenger service.
Nevertheless, this should come as no surprise, as companies and businesses frequently don’t appreciate the efforts of whitehat hackers who are doing good. Cybersecurity researchers like Rob Dyke and Wesley Wineberg are prime examples of what can occur when companies fail to grasp the importance of responsible disclosures.
RELATED ARTICLES
- Whitehat hacker bypasses SQL injection filter for Cloudflare
- “Good hackers” took over billboard to send security warning
- White hat hackers infect Canon DSLR camera with ransomware
- Whitehat hackers accessed primary keys of Azure’s Cosmos DB Users
- Whitehat hacker shows how to detect hidden cameras in Airbnb, hotels