From personal experience it seems relatively common in the embedded-esque software space, although not always quite as sophisticated as seen here.
> Is there some kind of whistleblower law that would allow someone with knowledge to come forward?
Depends on where you live, unfortunately anywhere with 'stong' IP laws you aren't allowed to patch anything. Usually reverse engineering analysis is still fine, although if there is a contract saying you're not allowed to you could be screwed anyway.
In the train case the locks were specifically for anti-competitive purposes, and so they can whistle-blow for that; and I think in the general case you can sue for misleading dealings/false advertising/etc but not for anything specific to the software locks/traps.
> unfortunately anywhere with 'stong' IP laws you aren't allowed to patch anything.
I am not aware of any IP laws that prohibit patching, except for circumventing copy protection (DMCA). There are plenty of laws prohibiting distributing patches, but making and using them are not commonly prohibited AFAIK.
You can technically distribute patches, a good example of what is possible is SNES ROM hacks, where only the deltas are be distributed, and the end-user provides their own 'legal' copy; this avoids the issue of redistributing copyrighted content.
However in the EU you aren't allowed to use information obtained through "decompilation" for the purpose development/production of a substantially similar program. Which means you cannot patch any program (exception exists for the purpose of interoperability), without risking some legal liability.
What got me was the geofencing for the trains to break down when in competitors workshops. Was apparently only found in 2 out of 30 trains, but still there is no plausible deniability here at all.
> Is there some kind of whistleblower law that would allow someone with knowledge to come forward?
Depends on where you live, unfortunately anywhere with 'stong' IP laws you aren't allowed to patch anything. Usually reverse engineering analysis is still fine, although if there is a contract saying you're not allowed to you could be screwed anyway.
In the train case the locks were specifically for anti-competitive purposes, and so they can whistle-blow for that; and I think in the general case you can sue for misleading dealings/false advertising/etc but not for anything specific to the software locks/traps.