Automated car washes can be hacked remotely and programmed to “attack” people and damage cars, researchers have said.
The internet-connected control interface used by a range of car washes made by PDQ, a Wisconsin-based manufacturer, contains security vulnerabilities that make it easy for hackers to access, Billy Rios of WhiteScope and Jonathan Butts of QED Secure Solutions said in a presentation at the Black Hat USA security conference in Las Vegas.
What’s more, the car washes are left vulnerable by the same lax security practices that more broadly affect the “Internet of Things”, they said.
For instance, they revealed they had hacked into a real PDQ car wash by using the default administration password, “12345”.
“We’ve written an exploit that can cause a car wash system to physically attack an occupant,” Rios and Butts said in their presentation. “Currently there is no patch for the vulnerability.”
They demonstrated how the machine could be made to unexpectedly close car doors or lower the roller arms to crush the roof of a car.
Aside from the use of default credentials, Rios and Butts found that the machines’ Windows-based web server has two vulnerabilities, including a bug could allow someone to bypass authentication.
The machines, which include LaserWash and ProTouch brands, also transmit usernames and passwords insecurely, allowing them to be stolen.
The Shodan search engine currently lists 150 vulnerable PDQ car washes, the researchers said, and while Rios and Butts investigated PDQ systems they said such problems are likely to be found in other machines as well.
Rios initially found the security flaws in 2015 and at the time he told the Kaspersky Security Analyst Summit in Cancun, Mexico that he had found about one thousand car washes connected to the Internet, in the US and elsewhere.
He notified PDQ at the time but didn’t receive a response until just before Black Hat.
PDQ also advised users to change the default passwords of the car wash and the network router, according to an advisory from ICS-CERT.
In an email sent to The Register PDQ said it was “diligently working on investigating and remediating” the vulnerabilities.
Rios said he initially investigated car washes after a friend who owned a chain of gas stations that included them told him about an incident in which an engineer remotely misconfigured one of the machines.
As a result a rotary arm smashed into a minivan in the middle of a wash and sprayed the interior with water. Both the vehicle and the eqiupment were badly damaged.
“These machines are very dangerous,” he said at the Kaspersky conference. “Turning on and off the lights is cool, but if you create something that causes something to move, you can’t allow them [the manufacturers] to voluntarily opt into” security.
How well do you know the cloud? Try our quiz!
Shares in Trump Media fall to all-time low on first day former president is entitled…
Apple launches public beta test of Siri revamp, text generation, other key AI features as…
Huawei, Apple hold duelling flagship smartphone launches in China as Huawei attracts interest with world's…
Geely premium EV brand Zeekr cuts price ov new 7X SUV by 4 percent as…
Mobile chip giant Qualcomm approached Intel with an acquisition offer in recent days, Wall Street…
Industrial dispute of Samsung workers in India escalates, as tech giant warns of no pay…