They're putting DRM in trains, now: Hired hackers Dragon Sector take to the Chaos Communication Congress stage and explain how they caught a manufacturer red-handed

Three hackers, Redford, q3k, and MrTick, pose for a photo to celebrate their exposing of Polish train manufacturer Newag
(Image credit: The Chaos Computer Club / Dragon Sector)

You wouldn't download a train—but you might conceivably want to repair one. Those worries have led to a massive controversy in Poland, as train manufacturer Newag has come under fire for likely adding DRM-style protection to stop its vehicles from being repaired at competitor facilities.

As laid out by Notes from Poland, the manufacturer's trains had inexplicably come to "a standstill in several places in Poland". Not only did they stop working after competitors attempted to repair them, one inexplicably bricked itself on November 21, 2023. More on that later.

A company named SPS Mieczkowski received fines from a rail operator when it failed to repair one of Newag's trains. It decided to then make privateers out of pirates, hiring a collective of hackers called Dragon Sector. Speaking with Onet, one such hacker Michał Kowalczyk said: "We discovered the manufacturer’s interference in the software, which led to forced failures."

Newag has naturally been denying the accusations, though the evidence seems damning. As reported by Gizmodo, three hackers affiliated with Dragon Sector took to the stage of the Chaos Communication Congress (a hacker convention dedicated to discussing cybersecurity, privacy, and the like) to share their findings. 

In the talk "Breaking DRMS in Polish Trains", the team stated it was "100% sure" it was in the right, and that "it’s Newag that should be scared, not us." 

"One of the most common in the trains we investigated is what we call 'lack of movement' or 'idle timer'," explains Jakub Stępniewicz, who goes by the alias MrTick. He explains that if a train doesn't move at least 60km/h for at least three minutes for more than 10 days, it'll permanently lock. However—MrTick says there were false positives, and that when the trains were stationary for servicing "it was enough to trigger the lock."

To 'fix' this, the manufacturer extended the time to 21 days, then added "geofencing" to cause it to lock if it stayed in certain locations, which just so happened to be the main competitors of Newag. One of the locations was even a SPS Mieczkowski workshop—you know, the company that was fined because it couldn't repair a Newag train? Oh no.

(Image credit: The Chaos Computer Club / Dragon Sector)

As for the mystery bricks on November 21: "We also had a very nice date check in one of the trains … the train was supposed to be serviced on the 21st of November 2021." If you've been following along, you might be wondering: 'hold on, didn't the train break in 2023'? That's because (as the hackers reveal) the code actually instructs the train to lock down between November 21-30 and December 21-31.

(Image credit: The Chaos Computer Club / Dragon Sector)

"This is on one train," says Sergiusz Bazański (alias q3k). "That train is now famous, because it did indeed break on the 21st of December this year. But don't worry, New Years? It'll run just fine."

The entire talk is a journey through a comedy of errors—one that's eerily familiar. We've all seen horrific levels of DRM applied to games that impact performance, tacked on in haphazard ways that harm the player such as infamous resource-hog Denuvo. The only issue is: these are trains, not video games, and the consequences are a little more severe.

It's also not the first time we've seen this kind of thing happen outside of gaming. In August of 2022, a hacker jailbroke a DRM-laden tractor and then ran Doom on it—thwarting John Deere's remote bricking systems. In July of the same year, BMW also introduced microtransactions to its cars. Only $18 a month to heat your seats, what a steal.

Harvey Randall
Staff Writer

Harvey's history with games started when he first begged his parents for a World of Warcraft subscription aged 12, though he's since been cursed with Final Fantasy 14-brain and a huge crush on G'raha Tia. He made his start as a freelancer, writing for websites like Techradar, The Escapist, Dicebreaker, The Gamer, Into the Spine—and of course, PC Gamer. He'll sink his teeth into anything that looks interesting, though he has a soft spot for RPGs, soulslikes, roguelikes, deckbuilders, MMOs, and weird indie titles. He also plays a shelf load of TTRPGs in his offline time. Don't ask him what his favourite system is, he has too many.

Read more
Redhead woman using computer laptop at home stressed with hand on head, shocked with shame and surprise face, angry and frustrated. Fear and upset for mistake.
Court documents show not only did Meta torrent terabytes of pirated books to train AI models, employees wouldn't stop emailing each other about it: 'Torrenting from a corporate laptop doesn't feel right'
Valve logo with a man with a steam valve for an eye.
Valve's DRM was inspired by an exec's nephew, who 'used a $500 check I'd sent him for school expenses and bought himself a CD-ROM replicator… he sent me a lovely thank you note'
Team Fortress Spy being shocked
An FPS studio pulled its game from Steam after it got caught linking to malware disguised as a demo, but the dev insists it was actually the victim of a labyrinthine conspiracy
Driving through the rain
I paid money to drive a real car that filled up with fumes when I didn't pump the pedal, and it's all because I loved Jalopy
Aloy
Sony gets people scratching their heads after region-locking purchases of Horizon Forbidden West, 10 entire months after its initial release
Count Dooku Force-lightnings an enemy in Star Wars: Battlefront Classic Collection.
Too many games released busted, broken, and basically in early access this year—it's time for it to stop
Latest in Gaming Industry
Monster Hunter Wilds' stockpile master studying a manifest
As layoffs and studio closures continue to deathroll the western AAA industry, analyst points out 5 of 8 major Japanese companies hit all-time share prices this year
A still from a video announcement of Game Informer's return, featuring the magazine's Halo 2 issue.
Game Informer is back from the dead: 'The whole team has returned'
Typing on internet search toolbar: What am I doing?
How a Microsoft exec managed to pitch Microsoft Word through the genius tactic of being able to actually use it in a 'type-off' demanded by clients: 'I was the only one who'd actually been a secretary'
Half-Life wallpaper - Gordon Freeman
Former Valve exec says the company struggled to sell Half-Life until coming up with the ultimate 'one simple trick' of marketing manoeuvres: slapping a 'Game of the Year' sticker on the box
Gabe Newell looks into the camera, behind him is a prop of a turret from Team Fortress 2.
Gabe Newell's cult of personality is intense, but a Valve exec who worked with him says his superpower is how he 'delighted in people on the team just being really good at what they did'
The Spy from Team Fortress 2 holds up a folder with an accusatory expression.
One of Valve's original executives shares a very simple secret to its success: 'You can't use up your credibility' by trying to make bad games work
Latest in News
Image of Ronaldo from Fatal Fury: City of the Wolves trailer
It doesn't really make sense that soccer star Ronaldo is now a Fatal Fury character, but if you follow the money you can see how it happened
Junah beginning a battle in Metaphor: ReFantazio.
Today's RPG fans are 'very sensitive to feeling like they wasted time' when they die, says Metaphor: ReFantazio battle planner—but Atlus still made combat hard anyway
Image of Cersei Lanniser from Game of Thrones: Kingsroad Steam early access trailer
A new Game of Thrones RPG is coming to Steam today with a cast of 'familiar faces,' which is good because it's really the only way to tell it's a GoT game at all
The new Prime Asset featured in the upcoming update for the Outlast Trials.
The Outlast Trials puts its already paranoid players under surveillance for a time-limited story event
A Viera looking confused in Final Fantasy 14.
Old armor continues to fall victim to Final Fantasy 14's bizarre two-channel dye system, unless you're super into changing the colour of teeny-tiny eyelets: 'Why even bother at this point?'
Starfield: Shattered Space
By the time Bethesda was on Starfield, you'd 'basically get in trouble' for breaking schedule, says former dev: 'A lot of the great stuff within Skyrim came from having the freedom to do what you want'