It’s a nightmare for any laptop user when the innards go haywire and the device freezes up irreversibly—a disaster called “bricking.”
Now imagine it happening to a 175-ton passenger train.
It began with Dolno?l?skie Rail, which functions as a sort of MTA of southwest Poland. Much of its rolling stock had been made by the Polish company Newag.
After ferrying millions of passengers over the years, about a dozen of the railway’s trains needed to be refurbished. Dolno?l?skie gave Newag a shot at the job, but also solicited other bids. The railway decided it stood to save at least one million z?oty ($255,118) by going with a Newag competitor known as SPS. By April 2022, the run-of-the-mill maintenance was supposed to make the trains good as new.
Or so everyone thought.
Without warning, nearly all of the refurbished trains began “selectively, but permanently” failing, said the railway’s lawyer, Miros?aw Eulenfeld. Dolno?l?skie worried that the region would be paralyzed if any more trains stalled.
SPS technicians tried tinkering with the trains’ mechanical systems to no avail. It became apparent that the faults stemmed from the main computer, which wouldn’t let the engines start. They were flummoxed.
“None of us could focus,” said Monika Mieczkowska, the daughter of SPS’s owner, with a deadline to deliver the trains quickly looming. While on a family vacation in Spain, she came up with the idea of googling “Polish hackers.”
She emailed a group that called itself “Dragon Sector,” and soon after, a trio of hackers reported for duty. A collection of coders with normal day jobs who come together in their off hours to defend cyberspace from malicious intrusions, they consider themselves “white-hat” hackers. To the extent that anybody knew about them, it was because Dragon Sector often participates in global “capture the flag” competitions, which solve complicated cybersecurity-related puzzles.
They weren’t known for their expertise in locomotives.
Still, they threw themselves into the challenge. For several weeks between May and August 2022, Dragon Sector worked across Europe under the rail operator’s tight deadline. In the final week, they pored over code in 24-hour shifts. They coordinated with partners not over Slack, but via the 1990s-era Internet chat system IRC.
“The reality is, we just slept less,” said Jakub St?pniewicz, who goes by the nom de pirate “MrTick” and whose day job helps prevent aircraft collisions in the aviation industry.
The three found that about a dozen of the trains’ computers had software code in them that, in certain circumstances, could trigger them to shut down. The code, for instance, could detect when the trains were stopped for long periods—usually a sign a train was in a rail yard for repairs.
After a different broken train was returned from Newag, the group discovered GPS coordinates in it just happened to pinpoint boundaries on a map around Newag’s competitors.
It was an electronic leash that seemed to tether any repair work to the manufacturer. And it was a problem, the hackers say, that extended to other trains across Poland. One train on a different railway even had code that signaled a mechanical breakdown even though the system was working fine.
“What Newag did,” Eulenfeld said, “was truly gangster-like.”
Newag didn’t respond to inquiries seeking comment. In a previous statement, Newag had denied the software subterfuge, arguing its code was “clean” and that SPS ginned up a “conspiracy theory for the media” to avoid paying contract penalties.
With minutes to spare under the railway’s deadline, the hackers came up with programmatic workarounds that brought the locomotives back to life.
“In a true MacGyver-like fashion, the boys succeeded,” said Mieczkowska, adding that they finished the job with 43 minutes left in the time allotted by SPS’s contract with the railway. “I was crying.”
Dragon Sector presented their findings to fellow hackers earlier this year at the annual Chaos Communication Congress in Germany. Although their presentation was full of technical findings—“We reverse-engineered based on traffic dumps and a Windows DLL”—it drew chuckles from a sympathetic audience who understood it took a group of techies to fix a European railway.
There have also been unspecific threats of legal action by Newag, the hackers said. Experts fear that could increase the stakes for hackers who use their skills to further the public interest.
“There’s a passionate and talented community of security researchers that has long viewed good-faith security research as a means of helping society, and helping to secure these digital systems that we increasingly rely on,” said Harley Geiger, a Washington-based lawyer and founder of the Security Research Legal Defense Fund, whose first grant helped Dragon Sector. “I think that, for many of them, they do it because they view it as the right thing to do.”
Then there was trying to get Polish authorities on board. “They were not techies, but they understood the case. They just did nothing about it. That is what upsets me,” said Micha? “Redford” Kowalczyk, one of the hackers, about the group’s meeting with officials from Poland’s Internal Security Agency. “It took them exactly one year to take any action.”
The security agency declined to comment.
Meanwhile, at least, most of the trains in Poland are running again.
“Newag makes good trains. It is not our intention to drive the company into the ground. It is about consequences: identifying those responsible and removing them from the company, said Sergiusz Bazanski, who goes by “q3k.”
“What they did was brazen,” Kowalczyk added. “We are hoping for new legal regulations so that this never happens again.”