Two US security researchers have found vulnerabilities in smart car wash solutions sold by PDQ, a US-based vendor of Internet-connected car wash equipment and software.
According to the research team, the security flaws could be exploited to cause damage to cars or physical harm to passengers or car wash employees.
The vulnerabilities were discovered back in January 2015, but PDQ ignored the research team for almost two years, even after the researchers published some of their findings two years ago.
The flaws affect PDQ’s LaserWash, LaserJet, and ProTouch car wash rigs, which are sold and installed at car washes across the globe, not just in the US.
Car wash rigs come with a (vulnerable) built-in web server
These complex multi-component devices come with a built-in web server that allows car wash owners and employees to manage the rig from a remote location.
In a presentation at this year’s Black Hat USA 2015 security conference, the research team said they discovered an authentication bypass in this server’s login procedures that allowed them to access the rig’s control panel.
Nevertheless, even if they wouldn’t have discovered the authentication bypass, the research team said that most owners didn’t bother changing the default admin password — 12345 — which granted attackers access to the rig’s full system.
Researchers get creative and develop more dangerous exploits
Researchers reported this bug to PDQ in 2015, but the company failed to patch it. During all this time, while waiting for the company to patch the bug, researchers kept experimenting with the car wash rig.
The research team says they developed new exploits in the past two years that take advantage of the authentication bypass or the default password to connect to a PDQ car-washing rig, disable security sensors, and alter default behavior.
These modifications to default behavior include alterations to door sensors to make the car wash’s doors close when a car or person passes through the frame, damaging cars or hitting people.
In addition, the research team also said they could modify the movement of the washing arm to hit cars, or move the arm close to the car and spew water so people would be trapped in their cars. Similarly, the car wash’s doors could also be modified to trap people inside.
All of these operations could be automated with a script, so an attacker can scan the Internet for exposed servers, upload his script, and watch mayhem take place across the globe.
Vendor promises to fix bug
Because PDQ had failed to patch the initially reported bug and because the research team found ways to truly weaponize their exploits in a novel way, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) stepped in and issued a nationwide alert regarding the vendor’s insecure equipment.
It was only after CERT’s involvement that the vendor became responsive and helped issue recommendations for rig owners, such as changing the default password or placing their equipment behind a firewall. The company also promised a patch to fix the authentication bypass.
The team behind this research is comprised of Billy Rios and Jonathan Butts. Rios has a long history of hacking IoT devices. In the last few years, Rios has reported bugs in medical care systems, X-ray scanners, and other industrial equipment. Rios and Butts’ presentation and researcher paper are available online.