Depends on country's laws and contracts between parties. If the contract does not mandate service by the manufacturer, only suggests it, this sounds illegal. Not because of hacking, because of not documenting behavior and disturbing state entity hence the people.
Oh, yes. I agree that this sounds like actual fraud if it is undocumented. I disagree that disabling the machines would count as "hacking."
I am cynical about the latter because I personally would like this sort of malicious shit to qualify as hacking. I'd also like the telemetry and recording in all modern cars to be considered hacking.
One practical solution is to make certain clauses unenforceable in end user license agreements and all non-negotiated contracts.
For starters clauses allowing the vendor to upload any user specific data (anonymized or not) and prohibitions against specific uses of the software would be unenforceable.
The former ensures privacy, and the latter would make the behavior of the train manufacturer illegal (in the US), since it’d fall under the CFAA:
Various contract provisions are illegal in Poland as well, for example a contract can't prevent you from disassembling and reverse engineering any software or hardware, including building a compatible device so long as you do not literally copy the results over.
In this case, NEWAG violated contract, because they did NOT win the bid to do servicing, and didn't write anything down about being the only party able to service the machines.
If the contract mandated it, then the manufacturer could simply have filed a lawsuit. The fact that they didn't and did something in secret instead shows otherwise.
