From phones to cars and even refrigerators, it seems that any device that contains any type of computer chip is vulnerable to hacking or tampering.
Now, an expert has added another item to the long list.
In a new video, software engineer Hugo Landau, based in St Albans, Hertfordshire, easily alters the computerized locking system of a train toilet.
He says the bathroom door can be closed and locked when no one is there, making it inaccessible.
Fortunately, the attack occurs when the attacker is inside the cubicle, so other passengers do not have to worry about the door opening when they are inside.
Train toilets have electronic door locking systems rather than mechanical systems, but they can be tampered with (file photo)
Although he did not specify the route of the trip, Landau said he was on a British Rail Class 800 train, built for Great Western Railway by the Japanese company Hitachi.
“I have closed an open door,” Mr. Landau is heard saying in his video uploaded to youtube.
“If I were walking here right now, this door would be locked.”
Finally leaving the bathroom he exclaims: ‘My God! I broke it.’
As anyone who has traveled on one will know, modern UK trains have large disabled toilets with electric doors.
Upon entering the bathroom, users must press the “close” button to close the sliding door before turning a metal lever clockwise to lock the door.
Only when the lever is turned to the right to “unlock” can the doors be opened.
Once they are done with their tasks, they must turn the lever counterclockwise to the “unlock” position and press the other button to open the door.
Mr. Landau was able to alter the system because, as he explains in a blog postIt is not a “real” lever connected to a traditional locking mechanism.
Instead, a microcontroller (a small computer on a single integrated circuit) detects whether the lever is in the “lock” or “unlock” position.
Normally, when the lever is released, the door unlocks and can be opened. But when the lever is in the correct position, the door locks and cannot be opened.
After handling: Note the small metal pin on the left, above the green “unlock” light. This pin is intended to prevent the lever from being turned to “lock” when the door is open.
Typically, a small metal pin on the left side prevents the lever from turning clockwise to “lock” each time the bathroom door is open.
However, as Mr. Landau demonstrates, users can move the lever so that the locking pin cannot engage with it, but not too far to the right so that the lever “locks.”
As a result, the door can be set to lock even when open.
As Landau also shows, users can press the button to close the door and quickly jump out, leaving the bathroom closed and inaccessible from the outside.
Landau called this a “denial of service” (DoS) attack, defined as a malicious attempt to overwhelm an online service and render it unusable.
“Since I can do this and then jump before the door closes, this is effectively a DoS vulnerability in a train bathroom,” he said.
He tested the vulnerability several times, but the last time (shown in his video) he confused the bathroom door enough “that he decided ‘to hell with this’ and went into off-duty mode,” he said.
In a YouTube video, the software engineer can be heard saying: ‘Oh my God! I broke it after leaving the bathroom.
He told MailOnline: “Some people have misinterpreted the video and think I was actually trying to make the toilet inaccessible, rather than simply showing that it could be done – that’s not the case at all.”
‘Besides, I only showed it because I could do it without bothering anyone; The train was silent, there was no one around and there were several toilets anyway.’
Landau, who works for software library OpenSSL, describes himself as a “hacker and reverse engineer.”
“I think computers should be under the control of their owners and no one else, in a world that seems to be going in the opposite direction,” he says.
‘The idea of hardware that the individual user can trust to be on their side has never been more important or more in danger.
“Interestingly, this is not the first DoS vulnerability I have found on a train, but I will have to wait for another article.”
MailOnline has contacted Great Western Railway for comment.