It is understandable to receive Internet of Things (IoT) related warnings like vulnerable public WiFi or charging spots that can be hacked but a drive-through car wash? Well, it turns out Internet connected car washes or smart car washes can be hacked and trap the customer inside with their vehicle or even smash it while you in there.
IT security researchers at WhiteScope Billy Rios and Jonathan Butts have discovered a critical security flaw in the design of the software responsible for running a huge number of Internet connected car washes in the United States. The flaw can allow an attacker to gain remote access to the equipment and take control of the doors, including locking them and causing whatever damage possible.
Originally, Rios noted the flaws back in 2015, and since then his mission was to find as many devices as possible and analyze what they are exposing to the public web. This time, to take his findings to a new level both researchers came up with an exploit for the flaw and with the permission of a car wash owner they successfully targeted the system.
The problem exists in PDQ Vehicle Wash Systems, a brushless automated car wash system which is operated through a software that runs on Windows CE (Compact edition) and uses a mechanical arm to spray around the vehicle. It must be noted that Windows CE was initially released in 1996 making it a 20-year-old operating system which is not even supported by Microsoft anymore.
The system is protected with login credentials ( a username and a password) which are easy to guess – especially if the user has not changed them since it was installed or in simple words, researchers say default credentials are easy to guess.
Upon knowing the login details, researchers exploited the vulnerability and sent remote commands to the car wash system directing it to close the bay doors, trap the vehicle inside, spray as much water and soap they want and even smash the vehicle around which can be life threatening for some customers trapped inside.
In a conversation with MotherBoard, researchers explained that “We believe this to be the first exploit of a connected device that causes the device to physically attack someone.”
Both researchers demonstrated their findings at the Black Hat security conference in Las Vegas.
This is not the first time when Billy Rios and Jonathan Butts have identified critical vulnerabilities in an IoT system. Previously, both researchers identified life threatening vulnerabilities in hospital drug pumps which can be exploited to remotely administer a fatal dose of the medication to a patient.
A couple of months ago, the researchers also exposed another life threatening vulnerability in pacemakers which can be exploited to conduct potential ransomware attacks on a targeted device.
In this era of technology, almost everyone owns an IoT device. While there is a lot that can be done to secure smart devices, users must change the default credentials of their IoT devices and use a strong password instead. Furthermore, keep your operating system updated and use protection against cyber attacks. Stay safe online.