Security researchers have discovered that internet-connected car washes can be hacked to attack vehicles and passengers.
These software vulnerabilities would allow a hacker to open and close the outside doors of a car wash to trap vehicles inside, hit the car with the doors and even strike the car and spray passengers with the system's mechanical washing arm.
The discovery has prompted the researchers to inform the Department of Homeland security of their findings.
According to a report by Vice Motherboard, Billy Rios, the founder of Whitescope security, along with Jonathan Butts of QED solutions, conducted the car wash software research and presented their findings this week at the Black Hat security conference in Las Vegas this week.
'We believe this to be the first exploit of a connected device that causes the device to physically attack someone,' Rios told Vice Motherboard.
Prior to this, Rios has discovered security problems in other systems such as drug pumps for hospital patients, x-rays machines in airports, and buildings that control electric door locks, camera surveillance, lights and elevators.
For this case, Rios and Butts focused on PDQ LaserWash, an automated car wash company that sprays water and wax via a brushless arm.
They're popular in the US because they don't require people to operate them, and its bays have entry and exit doors that are programmed to open and close automatically.
A touch screen menu allows users to select their cleaning option, and commence their car wash.
The system runs on Windows CE software, and because it has a built-in web server to allow technicians to monitor them over the internet, they are vulnerable to hacks.
Rios first became interested in car wash hacks after he heard about a case when technicians misconfigured one in such a way that the mechanical arm struck a van and sprayed the family inside with water, and the driver damaged the van and the car wash as he accelerated quickly to escape.
This year, PDQ allowed the researchers to test the vulnerabilities of the system at a car wash in Washington state.
The PDQ system require a username and password to access, but according to the researchers, the default password can easily be guessed.
While not all the PDQ systems are online, the researchers found over 150 that were using Shodan search engine, which searches for connected devices such as webcams.
The researchers wrote an attack program that bypasses the online authenticating process, monitors when a vehicle is ready to leave the car wash, and causes the exit door to hit the vehicle.
The hacker simply chooses an IP address of a specific car wash, and launch the attack script.
The car wash software tracks where a car is in the wash cycle, making it easy to know when the wash is about exit, and hackers can send a command to close one or both of the doors to trap the car or close the doors on the car to hit it.
The researchers were also able to manipulate the mechanical arm to hit the car or spew water, making it hard for a passenger to escape.
While the car wash's software has systems in place to sense where the car is and prevent such things from happening, the attack script was able to disable these.
The researchers filmed these tests, but the car wash company won't allow them to publish the video.
The researchers informed the Department of Homeland Security and the vendor about their findings and are set to present them in a report at the Black Hat talk in Las Vegas this week.
A spokesperson for PDQ told Vice Motherboard that the company is aware of the Black Hat talk and is working on investigating and fixing the security issues with the system.
- Daily Mail