Automated car washes can be hacked remotely and programmed to “attack” people and damage cars, researchers have said.
The internet-connected control interface used by a range of car washes made by PDQ, a Wisconsin-based manufacturer, contains security vulnerabilities that make it easy for hackers to access, Billy Rios of WhiteScope and Jonathan Butts of QED Secure Solutions said in a presentation at the Black Hat USA security conference in Las Vegas.
What’s more, the car washes are left vulnerable by the same lax security practices that more broadly affect the “Internet of Things”, they said.
For instance, they revealed they had hacked into a real PDQ car wash by using the default administration password, “12345”.
“We’ve written an exploit that can cause a car wash system to physically attack an occupant,” Rios and Butts said in their presentation. “Currently there is no patch for the vulnerability.”
They demonstrated how the machine could be made to unexpectedly close car doors or lower the roller arms to crush the roof of a car.
Aside from the use of default credentials, Rios and Butts found that the machines’ Windows-based web server has two vulnerabilities, including a bug could allow someone to bypass authentication.
The machines, which include LaserWash and ProTouch brands, also transmit usernames and passwords insecurely, allowing them to be stolen.
The Shodan search engine currently lists 150 vulnerable PDQ car washes, the researchers said, and while Rios and Butts investigated PDQ systems they said such problems are likely to be found in other machines as well.
Rios initially found the security flaws in 2015 and at the time he told the Kaspersky Security Analyst Summit in Cancun, Mexico that he had found about one thousand car washes connected to the Internet, in the US and elsewhere.
He notified PDQ at the time but didn’t receive a response until just before Black Hat.
PDQ also advised users to change the default passwords of the car wash and the network router, according to an advisory from ICS-CERT.
In an email sent to The Register PDQ said it was “diligently working on investigating and remediating” the vulnerabilities.
Rios said he initially investigated car washes after a friend who owned a chain of gas stations that included them told him about an incident in which an engineer remotely misconfigured one of the machines.
As a result a rotary arm smashed into a minivan in the middle of a wash and sprayed the interior with water. Both the vehicle and the eqiupment were badly damaged.
“These machines are very dangerous,” he said at the Kaspersky conference. “Turning on and off the lights is cool, but if you create something that causes something to move, you can’t allow them [the manufacturers] to voluntarily opt into” security.
How well do you know the cloud? Try our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…