Security researcher Hugo Landau has discovered an unusual denial of service vulnerability in his local train service: a poorly-designed toilet locking system that can be tricked into a state whereby it locks with nobody inside.
"I hacked a train toilet," Landau writes by way of introduction. "The other day I rode on a Class 800 train in the UK. This is the 'Intercity Express' train designed to replace the venerable HST (Intercity 125 with Mark 3 coaches, a train of which I have many memories and which I will dearly miss)."
Like many trains, the Class 800 includes accessible toilets for passengers. Like, again, many trains, the toilets eschew a simple mechanical door lock in favor of motorized doors controlled by an electronic system — which has the benefit of offering simple push-button opening and closing. When the door is closed, a second button would engage the lock which could then be disengaged by pushing the single door-open button — but led, Landau explains, to confusion.
"Of course, there is a reason for the separation of the closing and locking functions, but not the opening and unlocking functions: it avoids a Denial of Service [DoS] attack where someone can just press 'close' and then jump out before the door closes," Landau explains. "If the interior 'close' button automatically locked the door, this would result in the toilet becoming permanently inaccessible. The problem with this design is that most people don't understand state machines, and this design confused a lot of people who were unable to lock the door correctly, or believed they'd locked the door when they hadn't."
To fix this, newer trains moved from a push-button locking system to a small lever — one which requires little effort to turn, as it doesn't directly engage with the lock at all but instead sends a signal to the microcontroller in charge to trigger the motorized locking system. To solve, again, the problem of being able to lock the door while open, some models of train have a motorized return system which prevents the lever from being used until the door has closed — but not on the Class 800, Landau found.
"A tiny metal pin is projected whenever you should not be able to move the door handle from 'unlocked' to 'locked.' This pin itself locks the lock handle in the unlocked position," Landau says. "The problem with this is that there is some play in the lever around when exactly the microcontroller detects the lever as being in the 'locked' position.
"As such, you can close the door, then hold the lever just beyond the point at which the locking pin could engage with it, but not to the point where it reads as 'locked.' Then you can open the door, but the locking pin projects into thin air; thus the lever is free and can be moved to the locked position. The door close button remains active and you can then close the door. I confirmed that the door will then immediately lock as soon as the door is closed. Since I could do this and then jump out before the door closes, this is effectively a toilet DoS vulnerability on a train."
Landau has tested the apparent vulnerability twice, and both times was able to trick the system into allowing the lock to be operated while the door was open — and once caused the system to crash, entering an automated out-of-order mode. "I only demonstrated this because I could do it without inconveniencing anyone," he notes.
"There was nobody around waiting to use the toilet, and the train had multiple toilets. I didn't anticipate the toilet becoming 'out of order' and am still not entirely sure why this occurred — but in any case the toilet was back in order after it had rebooted a short time later."
Landau's full write-up is available on his website, and the vulnerability demonstrated in the video embedded above.
Main article image courtesy of Robin Drayton, CC-BY-SA 2.0.