Smart car wash systems can be hacked and hurt people

Two years after American security researchers Billi Rios and Terry McCorkle first flagged serious vulnerabilities in automatic, ‘smart’ car wash systems sold by a US-based vendor of internet-connected car wash equipment and software, PDQ, the company is finally acknowledging the danger.
According to the research team, the hackers can attack a system which would allow them to take over a smart car wash – then remote-control it to crush the cars inside. Security flaws could be exploited to cause damage to cars or more importantly, injury or loss of life of customers or car wash employees.
Rios, founder of security shop Whitescope, and researcher Jonathan Butts, founder of QED Secure Solutions, have finally managed to prove that the vulnerabilities can be exploited in a live setting. Speaking at the Black Hat Hacker conference in Las Vegas, Rios said, ‘We think this is the first exploit that causes a connected device to attack someone.
‘We’ve written an exploit to cause a car wash system to physically attack; it will strike anyone in the car wash. Car washes are really just industrial control systems.’
The flaws affect PDQ’s LaserWash, LaserJet, and ProTouch car wash rigs, which are sold and installed at car washes across the globe, not just in the US.
The unearthed vulnerabilities could allow attackers to access the system’s built-in web server either through the use of a rarely changed and easily guessable password, by sniffing login information as it is transmitted in unencrypted form, or by simply using an authentication bypass exploit.
The researchers showed off that Laserwash car installations were vulnerable to an attack via the internet – because the machines can be connected so owners can keep an eye on them.
The vulnerabilities were discovered back in January 2015, but PDQ ignored the research team for almost two years, even after the researchers published some of their findings two years ago. Also, their talk about the issues was accepted to Black Hat USA 2017, and the company obviously realized it could not afford to ignore them any longer.

Leave a Reply

Your email address will not be published.