Hackers can hijack car washes, remotely trap and ‘physically attack’ people

Vulnerabilities in Internet-connected car washes could be exploited to trap or damage vehicles, as well as 'physically attack' people.

Imagine pulling your dirty vehicle into an automated car wash, but the bay doors slam shut once you’re inside. The foamy soap coats your car, but when the roller arms descend, instead of brushing away the sudsy dirt they instead come down hard and start crushing your car. It’s likely you would be trapped inside your vehicle, but if you decide to bail from this car-wash-seems-haunted scenario and managed to open the door and jump out…whacka! That’s when you get smacked by a mechanical arm.

It may sound like a scene from a science fiction horror flick, but security researchers Jonathan Butts, founder of QED, and Billy Rios, CEO of Whitescope, said at Black Hat vulnerabilities in “smart,” internet-connected car wash systems could be exploited to make the car wash attacks users.

“We believe this to be the first exploit of a connected device that causes the device to physically attack someone,” Rios told Motherboard.

Your mind might automatically jump to “hacked” if you experienced such a nightmare scenario, but what about your mom’s or grandma’s? Hopefully they never will find out, but criminals or pranksters could remotely exploit the systems.

The security problem starts with the car wash being connected to the internet, even if the web-based user interface gives an owner a way to remotely manage their business. The control system uses an embedded WindowsCE computer; WinCE is no longer supported by Microsoft. But it’s not like an attacker needs to find and exploit a hole in the unsupported operating system.

The researchers discovered an authentication bypass in the built-in web server that allowed them to access the control panel. But hey, it’s not like a would-be hacker would need to find a bypass, since most owners can’t be bothered to change the default admin password of 12345.

Car wash flaw discovered in 2015

The vendor knows about the security issues, as the researchers claimed PDQ Manufacturing ignored their warnings for the past two years. They presented their initial findings in 2015 after reporting the bug to the vendor. Yet that didn’t spur a fix.

If it had, then the researchers wouldn’t have kept going, discovering that after connecting to the car wash, they could disable safety mechanisms. The bay doors at the car wash can be made to slam down on the vehicle as it pulls in or close to trap victims inside. The water can be made to spew without ceasing and the mechanical arms can be made to bash vehicles or people who get out of the car during the chaos.

All of this can be automated with a script that attackers could use after scanning the internet to locate the vulnerable car washes. Using the Shodan search engine, the researchers found over 150 online that are just waiting for an attacker to hijack.

Rios pointed out, “Car washes are really just industrial control systems. The attitudes of ICS are still in there. We’ve written an exploit to cause a car wash system to physically attack; it will strike anyone in the car wash. We think this is the first exploit that causes a connected device to attack someone.”

“We controlled all the machinery inside the car wash and could shut down the safety systems,” Butts told The Register. “You could set the roller arms to come down much lower and crush the top of the car, provided there was not mechanical barriers in place.”

ICS-CERT issues an advisory about car wash systems

If the researchers’ 2017 Black Hat presentation, paper (pdf) and slides (pdf), wasn’t enough to motivate the vendor to issue fixes, then the advisory issued by ICS-CERT was.

ICS-CERT warned that automatic car wash systems LaserWash, Laser Jet and ProTouch from PDQ Manufacturing were remotely exploitable and that it required a “low skill level to exploit.”

Not that you necessarily know if an in-bay car wash system is connected to the internet, but affected products include LaserWash G5 and G5 S Series all versions, all versions of LaserWash M5, all versions of LaserWash 360 and 360 Plus, all versions of LaserWash AutoXpress and AutoExpress Plus, all versions of LaserJet, as well as all versions of ProTouch Tandem, ProTouch ICON, and ProTouch AutoGloss. They have been installed around the world.

Surprise! PDQ Manufacturing now claims, “We are aware of the presentation at Black Hat USA 2017, and are diligently working on investigating and remediating these issues.” Riiiight. Two years later, they are suddenly concerned and “diligently” working on a patch.

Until the long-awaited fix is developed, ICS-CERT has a list of PDQ’s recommendations for car wash owners “to limit the exploitability of the affected systems.”


Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)