Now Reading
I hacked a practice bathroom

I hacked a practice bathroom

2024-01-28 03:10:56

The opposite day I rode on a Class 800 practice within the UK. That is the “Intercity
Categorical” practice designed to exchange the venerable HST (Intercity 125 with Mark 3
coaches, a practice of which I’ve many recollections and which I’ll dearly miss).

Trendy trains within the UK have disabled bathrooms with power-operated doorways. The
older fashions of those bathrooms had “open”, ”shut” and “lock” buttons on the
inside, the place you needed to press “shut”, anticipate the door to shut, after which
press ”lock”. There isn’t a separate “unlock” button; urgent the “open” button
on the within robotically unlocks and opens the door.

After all, there’s a purpose for the separation of the closing and locking
capabilities, however not the opening and unlocking capabilities: it avoids a Denial of
Service assault the place somebody can simply press “shut” after which bounce out earlier than
the door closes. If the inside “shut” button robotically locked the door,
this could lead to the bathroom changing into completely inaccessible.

The issue with this design is that most individuals do not perceive state
machines, and this design confused lots of people who have been unable to lock the
door accurately, or believed they’d locked the door after they hadn’t.

The bathroom door controls state machine (on older trains)

Consequently the newer disabled bathrooms on trains are likely to have a lever you’ve
to maneuver to lock the door:

TODO
Prepare disabled bathroom inside controls (Class 800)

This design is an enchancment since it’s extra intuitively understandable to
most individuals. Besides after all, this lever is not a “actual” lever straight
linked to a locking mechanism however just a few enter to a microcontroller. This
raises the query of what occurs when the state of the lever would not match
up with the state of the door and the way the microcontroller offers with that.

Some fashions of practice within the UK clear up this robustly by having the lever spring
again to the “unlocked” place in case you attempt to transfer it to the “locked” place
when the door is open. Presumably this lever-return mechanism is
electromagnetically activated at any time when the door is within the flawed state for the
lever to be lively.

Hitachi, nonetheless, have chosen a special technique: a tiny metallic pin is
projected everytime you shouldn’t be capable of transfer the door deal with from
“unlocked” to “locked”. This pin itself locks the lock deal with within the unlocked
place.

The issue with that is that there’s some play within the lever round when
precisely the microcontroller detects the lever as being within the “locked”
place. As such, you’ll be able to shut the door, then maintain the lever simply past the
level at which the locking pin may have interaction with it, however to not the purpose the place
it reads as “locked”. Then you’ll be able to open the door, however the locking pin initiatives
into skinny air; thus the lever is free and will be moved to the locked place.
The door shut button stays lively and you’ll then shut the door. I
confirmed that the door will then instantly lock as quickly because the door is
closed. Since I may do that after which bounce out earlier than the door closes, that is
successfully a bathroom DoS vulnerability on a practice.

I’ve posted a video here where I demonstrate this issue.

See Also

You too can see the locking pin within the picture above. Ordinarily, it mustn’t
be seen projected, however as a result of I’ve the deal with on the exact level the place
the logic thinks it is within the unlocked place however far sufficient away from it that
the locking pin cannot make contact, the locking pin has projected into air.

That is the second alternative I’ve needed to take a look at this concern on the Class 800. On
this explicit event after I was testing this vulnerability, I appear to have
really confused the bathroom door controller sufficient that it determined “screw
this” and went into out-of-order mode, which did not occur the primary and
earlier time. The bathroom was working once more after I alighted from the practice; I
don’t know if it reset robotically after some interval or if somebody on the
practice reset it.

Amusingly this isn’t the primary DoS vulnerability I’ve discovered on a practice — however
that should wait for an additional article.


For people who missed it, a recording of my 37C3 talk “Adventures in Reverse Engineering Broadcom NIC Firmware” can be found here.

Source Link

What's Your Reaction?
Excited
0
Happy
0
In Love
0
Not Sure
0
Silly
0
View Comments (0)

Leave a Reply

Your email address will not be published.

2022 Blinking Robots.
WordPress by Doejo

Scroll To Top