Hackers Face Lawsuit After Train Repair

Hackers Face Lawsuit After Train Repair

Every week, we get a roundup of recent developments in Right to Repair news, courtesy of Jack Monahan and Paul Roberts from Fight to Repair, a reader-supported publication. Sign up to receive updates in your inbox. (It’s free!) Or become a premium subscriber for access to exclusive content and live events!

Three Polish hackers achieved success in repairing the malfunctioning software of a train, initially serviced by independent repair shops for a regional rail operator…[then] accusations arose against the manufacturer, Newag, alleging that they remotely rendered inoperable trains serviced by the Polish train repair company, SPS. That’s not all, reportedly, Newag is threatening the hackers with a lawsuit.


That’s the story that has caught the attention of everyone in the world of right to repair. And it turns out that the hackers went to Polish authorities with their findings months before going public with their findings at a Polish conference but got little response from the government.

The series of events is fairly simple: A company was caught remotely bricking a multi-million dollar machine. Then they tried to point the finger at the guys who got the machine working again and (in the process) exposed their anti-competitive behavior. But they’re calling these white hat hackers the “bad guys”?

It’s been 10 years since the internet first rolled its eyes over DRM kitty litter, but things haven’t gotten any better. Image via George Lopez.

DRM: Does it Really Matter?

This remotely bricked train in Poland is a reminder to us why digital rights management (DRM) is the elephant—or maybe the diesel train engine—in the living room for anyone concerned about our fading rights as consumers, property owners, and individuals. Repair monopolies increasingly rely on DRM to keep repair within manufacturers’ own walled gardens.

If you’re a farmer, you may not recognize that it’s DRM that keeps you from being able to replace a broken component on your $500,000 piece of John Deere farm equipment. What you do know is that a John Deere authorized service technician is the only person capable of completing that repair, and that your only option is to wait for them to be ready to take your money in exchange for their very pricey repair services.

If you’re a Tesla owner and want to buy an aftermarket tow hitch for your car? Too bad, because Tesla has programmed its cars to refuse to recognize a non-Tesla brand hitch attached to one of its vehicles. It employs DRM to authenticate the more expensive, less available Tesla brand hitches and programs its vehicles to disable towing safety features when Tesla owners deploy an aftermarket hitch.

DRM’s Dystopian Future

Though the Polish train hacking story puts a new face on DRM, the broader issue is anything but new. It’s just the latest chapter in a decades-long saga in which manufacturers and software publishers increasingly deploy DRM software locks liberally to stop users from doing all manner of things on their machines, from replacing a mobile phone screen to swapping out the water filter on a refrigerator.

To bolster their technological hurdles, companies use the threat of legal action, invoking the anti-piracy law known as the Digital Millenium Copyright Act (DMCA) in the US (and its equivalents in other countries) to threaten offenders with jail time and hundreds of dollars of fines for simply tinkering with their own property or finding workarounds for fixing their things.

When questioned about the fairness or necessity of such draconian controls, companies use the rhetoric of safety or cybersecurity as a pretense for their shady and anti-competitive business practices.

Exempting Commercial & Industrial Equipment from the DMCA

That’s exactly why iFixit and the nonprofit Public Knowledge have jointly filed a petition for commercial & industrial equipment to be exempt under the DMCA. The groups filed the first iteration of the petition back in August—on which occasion iFixit tore down a McDonald’s ice cream machine to help understand the scope of the problem. But now they’ve submitted a longer form petition with a wide range of examples of equipment that has DRM limiting repair, ranging from McDonald’s ice cream machines to Caterpillar earth movers to Polish trains.

If accepted, the petition will enable owners of these devices to troubleshoot and repair their own equipment, even if that means getting around the DRM. Unfortunately, although the success of this petition undoubtedly would allow many commercial equipment users to do repairs they couldn’t before, many others will be out of luck. The US Copyright Office has previously held that their jurisdiction only allows them to exempt individual repair attempts from the DMCA; they say that they cannot permit the development of tools that will enable DRM circumvention.

In the case of the security researchers who discovered the repair blocks in the train software, for instance, a DMCA exemption would allow them to individually get around that block (if they were in the US)—but they couldn’t publish what they found or how they found it. Nobody else could benefit from their discovery. Only a change to federal copyright law could legalize this sort of repair tool. Last congressional session, the Freedom to Repair Act aimed to make these exemptions permanent and legalize trafficking in repair tools, but it didn’t pass and has yet to be reintroduced in this (historically unproductive) session.

What’s going on? Some call it the landlord economy, while others use less savory terminology, but the through line is simply that companies have warmed to the idea that they can get people to pay them for the right to own something, and then pay them again for the right to use what they just bought. But corporations are clearly incentivized to use business practices and threats of legal action to control products in the hunt for profits. And if the train story is any indication, nothing is stopping this disease from spreading far and wide—nothing, that is, except hackers, activists, and advocates for consumer rights issues including right to repair. It’s time to join the fight!

More News

  • Apple’s expands self-repair program: This growth to 24 additional EU countries, including the iPhone 15 series and other products, is a move to tighten control over repair and component sales, potentially limiting access to affordable third-party repairs and ensuring revenue for Apple says verdict.co.uk. The introduction of a new diagnostic tool, Apple Diagnostics for Self Service Repair, has been criticized for lacking clear criteria on users’ expertise, and overall, the expansion is viewed as prioritizing Apple’s bottom line over device sustainability or addressing issues in repairing Apple devices, such as overpriced authorized parts and software locks.
  • Smoking gun email surfaces in McDonald’s McFlurry case: The legal case between the startup Kytch and the soft ice cream machine maker Taylor and their customer McDonalds has been going for a while. Last week, Wired reported the emergence of a so-called “smoking gun” email in the case, which hinges on a 2020 email McDonald’s sent to restaurant owners warning them against using Kytch’s technology, claiming Kytch posed safety risks, and causing Kytch’s sales to plummet. Kytch now alleges that Taylor, the soft-serve machine maker, colluded with McDonald’s to undermine them as competition, citing uncovered internal emails that suggest Taylor’s involvement in influencing McDonald’s to discourage Kytch’s use. The legal battle is set to go to trial in May, with Kytch alleging a conspiracy at the highest levels of leadership.
  • Data privacy double speak from DOT: Members of Congress are criticizing the National Highway Traffic Safety Administration for its double standards on data access. The agency has previously opposed right to repair on the basis that data sharing will compromise security for drivers, yet lawmakers are calling out NHTSA’s proposed solution involving Bluetooth access to vehicle telematics data, suggesting it may entrench manufacturers’ dominance and harm competition, while also raising privacy violation arguments tied to Massachusetts’ Data Access Law.