From Information Weeek magazine:
Hackin' At The Car Wash, Yeah
Turns out those drive-through car washes have public Web interfaces that easily can be accessed online, and used to cause physical damage, manipulate or sabotage mechanical operations, or just score a free wash for your vehicle.
Renowned security researcher Billy Rios -- who has exposed security flaws in medical systems used with X-ray machines and carry-on baggage screening machines at TSA checkpoints, among other critical systems -- detailed, here this week, how something as mundane as an automatic car wash is also hackable from afar. The Web interface in one popular car wash brand's remote access system he studied contains weak and easily guessed default passwords, as well as other features that could allow an attacker to hijack the functions of a car wash.
Rios decided to explore just how exposed car washes were after a friend who's an executive for a gas station chain that includes car washes, told him a story about how technicians had misconfigured one car wash location remotely. The mistake caused the rotary arm in the car wash to smash into a minivan mid-wash, spraying water into the vehicle and at the family inside. The minivan driver quickly accelerated out of the car wash, badly damaging the equipment, as well as the vehicle.
The story resonated for Rios, who has been studying public safety ramifications of industrial and other critical systems accessible via the Net. "If [a hacker] shuts off a heater, it's not so bad. But if there are moving parts, they're totally going to hurt [someone] and do damage," says Rios, founder of Laconicly. "I think there should be some distinction between those types of devices. Turning on and off the lights is cool, but if you create something that causes something to move, you can't allow them [the manufacturers] to voluntarily opt into" security, he says.
Rios went to work looking for exposed automatic car washes online, and found them. "I looked for car washes on the Net, there are a couple of hundred" for PDQ LaserWash, the brand he researched, Rios says. PDQ LaserWash runs an HTTP Web server interface for remote administration and control, and the car wash equipment runs on Windows CE with an ARM processor.
"You can log into it and shell into it … it's just an HTTP post request," Rios says of the car wash systems. He says the problem likely isn't isolated to this particular car wash brand he investigated, either. Rios estimates that that there are a thousand or others online.
Yeah - these systems are designed with no clue about security. The manufacturer is hardware oriented and probably contracted out the programming to the cheapest bidder.
