From phones to cars and even refrigerators, it seems any device that contains some kind of computer chip is vulnerable to hacking or manipulating.  

Now, an expert has added another item to the long list. 

In a new video, software engineer Hugo Landau, based in St Albans, Hertfordshire, easily disrupts the computerised locking system of a train toilet. 

He says the toilet door can be closed and locked when there’s no-one in there – rendering it inaccessible. 

Thankfully, the hack occurs when the assailant is inside the cubicle – so other passengers don’t have to worry about the door opening when they’re inside.  

Train toilets have electronic lock systems on the doors rather than mechanical ones - but these can be manipulated (file photo)

Train toilets have electronic lock systems on the doors rather than mechanical ones - but these can be manipulated (file photo)

Train toilets have electronic lock systems on the doors rather than mechanical ones – but these can be manipulated (file photo)

[embedded content]

Although he did not specify the journey route, Mr Landau said he was on a British Rail Class 800 train, which is built for Great Western Railway by Japanese firm Hitachi. 

‘I’ve locked an open door,’ Mr Landau can be heard saying in his video uploaded to YouTube

‘If I was walking out here now, this door would be locked.’

Upon finally exiting the toilet he exclaims: ‘Oh my god! I broke it.’ 

As anyone who has rode on one will know, modern trains in the UK have large disabled toilets with power-operated doors. 

Upon entering the toilet, users need to press the ‘close’ button to shut the sliding door before turning a metal lever right to lock the door.

Only when the lever is turned right to ‘unlock’ can the doors be opened.  

Once they’ve finished their business, they need to turn the lever left to the ‘unlock’ position and press the other button to open the door.

Mr Landau was able to disrupt the system because, as he explains in a blog post, it isn’t a ‘real’ lever that’s connected to a traditional locking mechanism. 

Instead, a microcontroller – a small computer on a single integrated circuit – detects whether the lever is in the ‘lock’ or ‘unlock’ position. 

Usually, when the lever is left, the door is unlocked and can open. But when the lever is right, the door is locked and cannot be opened

Usually, when the lever is left, the door is unlocked and can open. But when the lever is right, the door is locked and cannot be opened

Usually, when the lever is left, the door is unlocked and can open. But when the lever is right, the door is locked and cannot be opened 

After manipulation: Note the small metal pin on the left above the green 'unlock' light. This pin is meant to stop the lever being turned to 'lock' when the door is open

After manipulation: Note the small metal pin on the left above the green 'unlock' light. This pin is meant to stop the lever being turned to 'lock' when the door is open

After manipulation: Note the small metal pin on the left above the green ‘unlock’ light. This pin is meant to stop the lever being turned to ‘lock’ when the door is open 

Usually, a small metal pin on the left side prevents the lever from being turned right to ‘lock’ whenever the toilet door is open. 

However, as Mr Landau demonstrates, users can move the lever so that the locking pin can’t engage with it, but not too far right that the lever gets set to ‘lock’.

As a result, the door can be set to lock even when it’s opened. 

As Mr Landau also shows, users can press the button to close the door and quickly jump out – leaving the toilet locked and inaccessible from the outside.   

Mr Landau called this a ‘denial-of-service’ (DoS) attack – defined as a malicious attempt to overwhelm an online service and render it unusable. 

‘Since I could do this and then jump out before the door closes, this is effectively a toilet DoS vulnerability on a train,’ he said. 

He tested the vulnerability several times, but in the final time (shown in his video) he confused the toilet door enough ‘that it decided “screw this” and went into out-of-order mode’, he said. 

In a YouTube video, the software engineer can be heard saying, 'Oh my god! I broke it' after exiting the toilet

In a YouTube video, the software engineer can be heard saying, 'Oh my god! I broke it' after exiting the toilet

In a YouTube video, the software engineer can be heard saying, ‘Oh my god! I broke it’ after exiting the toilet 

Mr Landau – who works for the OpenSSL software library – describes himself a ‘hacker and reverse engineer’. 

‘I believe that computers should be under the control of their owners and nobody else – in a world which seems to be headed in the opposite direction,’ he says. 

‘The idea of hardware the individual user can trust to be on their side has never been more important, or more in danger. 

‘Amusingly this is not the first DoS vulnerability I’ve found on a train – but that will have to wait for another article.’ 

MailOnline has contacted Great Western Railway for comment. 

I’m a cybersecurity expert – here’s how much damage a hacker could do if they got hold of just ONE of your passwords 

A hacker learning just one of your passwords can be enough to cause huge damage – especially if it’s your email password, an expert has warned. 

Jake Moore, security specialist at ESET, says it’s ‘very easy’ for cyber criminals to get hold of a password, and that they’re ‘regularly’ compromised in data breaches.

Cyber criminals make a living by hacking into a big company database that has passwords stored, or benefitting from an internal security cock-up among staff. 

Another method of taking passwords is phishing emails, which contain links that lead to fake websites designed to trick you into entering your password. 

But in many instances, a password can be easily guessed because it’s made up of common words or phrases, with ‘qwerty’ and ‘123456’ being classic examples. 

Read more 

This post first appeared on Dailymail.co.uk

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Stephen Hawking’s mysterious blackboard doodles revealed – can you work out what this bearded alien means?

A MYSTERIOUS blackboard belonging to Stephen Hawking is now on public display.…

How We’ll Know the Election Wasn’t Rigged

Late last October—before health officials in central China began racing to contain…

Test Your Knowledge of Internet Acronyms

Do you know what TCP/IP means? (Hint: you’re using it right now.)…

Alibaba, Hit by Antitrust Fine, Vows to Help Vendors With Fee Cuts

TAIPEI—Alibaba Group Holding Ltd. said Monday that it would invest in measures…