Chaos Computer Club supports hackers facing legal battle with railway manufacturer

Hackers exposed anti-competitive practices

EDRi member Chaos Computer Club (CCC) is backing three hackers targeted by Polish railway manufacturer Newag after they exposed anti-competitive practices at the 37th Chaos Communication Congress (37C3). In their 2023 presentation, the hackers revealed how Newag used geofencing and proprietary software to restrict repairs to its own workshops. By leveraging location data, geofencing enforces a virtual perimeter, allowing Newag to control where maintenance can take place and effectively limit independent repair options.

Train sabotage for profit

The Polish train operator company Koleje Dolnośląskieby had invited tenders for the service of its Newag trains. After an independent contractor, rather than Newag itself, took over maintenance, the train operator observed a series of breakdowns of Newag trains. While Newag claimed these breakdowns were due to improper servicing, Koleje Dolnośląskieby engaged three ethical hackers. On behalf of the train operator, they uncovered a different cause.

Newag’s trains entered a hibernation mode if parked too long within the geocoordinates of competitors‘ or customers’ workshops, or if unregistered repairs were detected. This way, the affected trains were artificially rendered unusable. The only way to “rescue” deactivated trains was to pay ransom by calling in a Newag technician, forcing train operators into exclusive reliance on the manufacturer.

Ethical hackers Redford, q3k and MrTick uncovered this practice by reverse-engineering and debugging Newag’s software. They analyzed the trains’ software to understand its internal workings. This allowed them to realize that Newag’s software deliberately restricted repairs and maintenance. Their investigation led to a striking discovery: the locked trains could be reactivated by simply pressing an undocumented key combination in the train cabin controls. All of this was uncovered without the potentially illegal replacement of train components which would require certifications. The IT experts notified relevant authorities and presented their findings at 37C3.

Newag’s reaction was swift and aggressive. The Polish rail vehicle manufacturer initiated multiple lawsuits under both criminal and civil law targeting the hackers’ efforts to reveal the truth. This winter at the 38th Chaos Communication Congress (38C3), they shared their ordeal. CCC believes these legal actions aim to suppress future disclosures of such unethical practices.

Supporting the fight for digital freedom

The CCC raised funds to assist with the hackers’ legal battle. After 38C3, more than 500 individuals contributed a remarkable 31 000 € to help cover legal costs, ensuring these researchers can continue their vital work without fear of retaliation. This demonstrates the power of solidarity in the community of Europe’s largest association of hackers.

This case serves as a reminder of corporate abuses. It highlights the need for stronger legal protections of researchers exposing unethical practices. By supporting these hackers, the CCC and the wider community are taking a stand for transparency, competition, and the right to repair. The following principles would protect innovation, competition, and digital freedom.

1. Right to repair: End users, customers and independent workshops must have the power to repair their equipment without facing manufacturer-imposed barriers.
2. Right to hack: The freedom to analyze, modify, and improve systems must be protected to foster innovation and expose vulnerabilities and unethical practices.
3. Open Source Software: Building critical systems on open platforms prevents vendor lock-in and enhances transparency and accountability.
4. Whistle-blower Protections: Legal and financial safeguards are crucial to ensure researchers and whistle-blowers can expose wrongdoing without fear of retaliation.

Contribution by: Matthias Marx, EDRi member, Chaos Computer Club (CCC)