Car Wash Hacking: Researchers Hijack System To Attack Vehicles, Employees

Security researchers discovered a number of vulnerabilities in an internet-connected car wash system that could put drivers, their vehicles and car wash employees in harm’s way.

Billy Rios and Jonathan Butts, the United States-based researchers who discovered the vulnerabilities, found flaws in the LaserWash, LaserJet and ProTouch car washing systems offered by American car wash equipment venter PDQ.

Read: IoT Security: Nearly Half Of Businesses Experience Breaches Because Of Internet Of Things

The car wash systems sold by PDQ—which are used in the U.S. and around the world—have a built-in web server that allows the car wash employees to communicate with and manage the machine remotely.

The researchers discovered a way to bypass the web server’s login procedures and gain unauthorized access to the machine’s control panel. In most cases though, the researchers found they didn’t even need to bypass the authentication system; most businesses didn’t bother to change the default admin password of “12345” and could easily gain access by simply entering the default credentials.

Once logged into the server remotely, the researchers found they could make a number of changes to the operation of the car wash.

They could disable security sensors or change door sensors that keep the car wash door from closing before a car has completely entered through the frame, allowing the door to hit the roofs of cars as they drive in or coming down on people standing near the door.

Read: Are Smart Home Devices Safe? Indoor Mapping Data Collection Poses Privacy Risk

The researchers also managed to change how the washing arm moved. They were able to hit a car with the arm or even use the arm to effectively trap a person inside their car by blocking the doors of the vehicle with the metal bar and streams of water.

The attacks don’t require manual control from a hacker, either. A malicious actor could write an automated script that could carry out all of the commands, upload it to the car wash’s web server and have it run every time a car enters the wash.

While the vulnerabilities are worrying enough on their own, even more troubling is the fact the researchers reported the security vulnerabilities to PDQ in January 2015. The company took no action to fix the problem for nearly two years.

It took a nationwide warning issued to car wash owners by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a government organization that helps companies identify and fix security vulnerabilities, for PDQ to finally act.

Once ICS-CERT became involved, the company helped operators of its equipment secure the machines by changing the default password and creating a firewall to protect the web server from unauthorized access. PDQ also promised to patch the authentication bypass that allowed the researchers to access the server.

The car wash flaws are just the latest example of the lax security that often plague internet-connected devices. Internet of Things devices sold to consumers often suffer from the same default password flaw that allows anyone to easily gain access to the device.

Meanwhile, a recent report found nearly half of all companies in the United States that use an Internet of Things (IoT) network have been affected by a security breach that has hurt annual revenue.