Black Hat 2017: Hacked Car Wash Could ‘Physically Attack’ People

Automated car washes can be hacked remotely and programmed to “attack” people and damage cars, researchers have said.

The internet-connected control interface used by a range of car washes made by PDQ, a Wisconsin-based manufacturer, contains security vulnerabilities that make it easy for hackers to access, Billy Rios of WhiteScope and Jonathan Butts of QED Secure Solutions said in a presentation at the Black Hat USA security conference in Las Vegas.

Lax security

What’s more, the car washes are left vulnerable by the same lax security practices that more broadly affect the “Internet of Things”, they said.

For instance, they revealed they had hacked into a real PDQ car wash by using the default administration password, “12345”.

But unlike internet-connected television set-top boxes or CCTV cameras, the car washes can pose a physical threat if tampered with.

“We’ve written an exploit that can cause a car wash system to physically attack an occupant,” Rios and Butts said in their presentation. “Currently there is no patch for the vulnerability.”

They demonstrated how the machine could be made to unexpectedly close car doors or lower the roller arms to crush the roof of a car.

Aside from the use of default credentials, Rios and Butts found that the machines’ Windows-based web server has two vulnerabilities, including a bug could allow someone to bypass authentication.

Internet-connected equipment

The machines, which include LaserWash and ProTouch brands, also transmit usernames and passwords insecurely, allowing them to be stolen.

The Shodan search engine currently lists 150 vulnerable PDQ car washes, the researchers said, and while Rios and Butts investigated PDQ systems they said such problems are likely to be found in other machines as well.

Rios initially found the security flaws in 2015 and at the time he told the Kaspersky Security Analyst Summit in Cancun, Mexico that he had found about one thousand car washes connected to the Internet, in the US and elsewhere.

He notified PDQ at the time but didn’t receive a response until just before Black Hat.

For the moment PDQ hasn’t released a fix for the issues, but said it has contacted its customers and urged them to take basic security precautions, such as disconnecting the systems from the Internet or putting them behind a firewall.

PDQ also advised users to change the default passwords of the car wash and the network router, according to an advisory from ICS-CERT.

‘Dangerous’ machines

In an email sent to The Register PDQ said it was “diligently working on investigating and remediating” the vulnerabilities.

Rios said he initially investigated car washes after a friend who owned a chain of gas stations that included them told him about an incident in which an engineer remotely misconfigured one of the machines.

As a result a rotary arm smashed into a minivan in the middle of a wash and sprayed the interior with water. Both the vehicle and the eqiupment were badly damaged.

“These machines are very dangerous,” he said at the Kaspersky conference. “Turning on and off the lights is cool, but if you create something that causes something to move, you can’t allow them [the manufacturers] to voluntarily opt into” security.

How well do you know the cloud? Try our quiz!