They're putting DRM in trains, now: Hired hackers Dragon Sector take to the Chaos Communication Congress stage and explain how they caught a manufacturer red-handed
"It's Newag that should be scared, not us."
You wouldn't download a train—but you might conceivably want to repair one. Those worries have led to a massive controversy in Poland, as train manufacturer Newag has come under fire for likely adding DRM-style protection to stop its vehicles from being repaired at competitor facilities.
As laid out by Notes from Poland, the manufacturer's trains had inexplicably come to "a standstill in several places in Poland". Not only did they stop working after competitors attempted to repair them, one inexplicably bricked itself on November 21, 2023. More on that later.
A company named SPS Mieczkowski received fines from a rail operator when it failed to repair one of Newag's trains. It decided to then make privateers out of pirates, hiring a collective of hackers called Dragon Sector. Speaking with Onet, one such hacker Michał Kowalczyk said: "We discovered the manufacturer’s interference in the software, which led to forced failures."
Newag has naturally been denying the accusations, though the evidence seems damning. As reported by Gizmodo, three hackers affiliated with Dragon Sector took to the stage of the Chaos Communication Congress (a hacker convention dedicated to discussing cybersecurity, privacy, and the like) to share their findings.
In the talk "Breaking DRMS in Polish Trains", the team stated it was "100% sure" it was in the right, and that "it’s Newag that should be scared, not us."
"One of the most common in the trains we investigated is what we call 'lack of movement' or 'idle timer'," explains Jakub Stępniewicz, who goes by the alias MrTick. He explains that if a train doesn't move at least 60km/h for at least three minutes for more than 10 days, it'll permanently lock. However—MrTick says there were false positives, and that when the trains were stationary for servicing "it was enough to trigger the lock."
To 'fix' this, the manufacturer extended the time to 21 days, then added "geofencing" to cause it to lock if it stayed in certain locations, which just so happened to be the main competitors of Newag. One of the locations was even a SPS Mieczkowski workshop—you know, the company that was fined because it couldn't repair a Newag train? Oh no.
The biggest gaming news, reviews and hardware deals
Keep up to date with the most important stories and the best deals, as picked by the PC Gamer team.
As for the mystery bricks on November 21: "We also had a very nice date check in one of the trains … the train was supposed to be serviced on the 21st of November 2021." If you've been following along, you might be wondering: 'hold on, didn't the train break in 2023'? That's because (as the hackers reveal) the code actually instructs the train to lock down between November 21-30 and December 21-31.
"This is on one train," says Sergiusz Bazański (alias q3k). "That train is now famous, because it did indeed break on the 21st of December this year. But don't worry, New Years? It'll run just fine."
The entire talk is a journey through a comedy of errors—one that's eerily familiar. We've all seen horrific levels of DRM applied to games that impact performance, tacked on in haphazard ways that harm the player such as infamous resource-hog Denuvo. The only issue is: these are trains, not video games, and the consequences are a little more severe.
It's also not the first time we've seen this kind of thing happen outside of gaming. In August of 2022, a hacker jailbroke a DRM-laden tractor and then ran Doom on it—thwarting John Deere's remote bricking systems. In July of the same year, BMW also introduced microtransactions to its cars. Only $18 a month to heat your seats, what a steal.
Harvey's history with games started when he first begged his parents for a World of Warcraft subscription aged 12, though he's since been cursed with Final Fantasy 14-brain and a huge crush on G'raha Tia. He made his start as a freelancer, writing for websites like Techradar, The Escapist, Dicebreaker, The Gamer, Into the Spine—and of course, PC Gamer. He'll sink his teeth into anything that looks interesting, though he has a soft spot for RPGs, soulslikes, roguelikes, deckbuilders, MMOs, and weird indie titles. He also plays a shelf load of TTRPGs in his offline time. Don't ask him what his favourite system is, he has too many.