A trio of Polish security researchers claim to have found that trains built by Newag SA contain software that sabotages them if the hardware is serviced by competitors.
Newag, a Polish train maker, emphatically denied that it installed such software in a statement issued Wednesday, attributing any issues to unknown hackers.
The rolling stock and engineering business insists its software is correct and that it did not design the trains' programming logic to fail under specific conditions, as has been claimed.
SPS bid for and won a contract to maintain the trains, beating Newag, according to Polish industry publication Rynek Kolejowy.
SPS then encountered difficulties servicing the rolling stock following a software lockout.
He wrote in a thread on Mastodon that the manufacturer, Newag, argued that these third-party repair shops were deficient and that the manufacturer should be servicing its own trains.
The security researchers reverse engineered the train's electronics and, in August 2022 found the train-stopping faults appeared to be not a flaw - but a feature.
They also claimed to have found an undocumented key combination in the cabin controls that would unlock the trains.
The unrecorded talk was documented by infosec writer BadCyber, to whose account the hacking trio referred The Register.
They are also preparing a more detailed presentation they intend to deliver at the 37th Chaos Communication Congress in Hamburg, Germany, at the end of the month.
CERT Poland confirmed to The Register that the team had disclosed their findings and that the cyber security agency had alerted relevant authorities.
That was more than a year ago, and The Register understands that the ongoing lack of action is partly what motivated the researchers to go public with their findings.
This Cyber News was published on go.theregister.com. Publication date: Fri, 08 Dec 2023 07:13:11 +0000