When a car wash gets hacked, it’s time to start securing IoT
In 2015, security researchers Charlie Miller and Chris Valasek made waves about securing IoT at the Black Hat security conference when they demonstrated how they hacked a Jeep Cherokee, taking control of the radio, GPS, engine, steering wheel and even brakes — albeit only at speeds of 5 mph or less. The duo was back last year, showcasing how they could control the engine and brakes at faster speeds.
At last week’s Black Hat 2017, one of the most newsworthy exploits was not a hack of a car, but a car wash. Researchers Billy Rios, the founder of WhiteScope, and Jonathan Butts, Ph.D., founder of QED Secure Solutions, discovered that a car wash can be breached, and with possibly life-threatening consequences for passengers. “We’ve written an exploit to cause a car wash system to physically attack; it will strike anyone in the car wash,” Rios told The Register. “We think this is the first exploit that causes a connected device to attack someone.”
In their presentation, the researchers demonstrated how a LaserWash car wash system from the manufacturer PDQ could be breached. An attacker could close one or both doors, trapping passengers inside. To keep passengers in the vehicle, a hacker could command the car wash to blast water constantly at the vehicle, making it a challenge to open its doors. If a driver attempts to escape the hacked device while the car wash’s door is open, the hacker could command a door to open and close repeatedly to strike when passengers exit the vehicle. Or the attacker could hit the car or passengers with a mechanical arm within the car wash.
Rios and Butts were able to hack the system by bypassing the authentication mechanism without even using default passwords, enabling them to manipulate a variety of functions.
The researchers pointed out that the entire platform for the washing machine operates Windows CE, which Microsoft killed off in 2013. Sadly, manufacturers are still building futuristic devices like an Internet-connected car washing machine on an end-of-life platform.
[IoT Security Summit, co-located with Blockchain360 and Cloud Security Summit, explores how industry-wide security, privacy and trust can be established to unlock the full potential of IoT. Get your ticket now.]
While not all of the car wash models are connected to the Internet, at least 150 are, according to the Shodan search engine, which catalogs IoT devices connected to the public-facing Internet. Who would have thought five years ago that car washes could be Internet connected or that the simple act of going to a car wash could possibly be a life-threatening activity?
While the presentation should serve as yet another wakeup call about the problems inherent in securing IoT, I wasn’t sure of what to make of the researchers’ claim that they reached out to the manufacturer to report the breach in 2015 and were completely ignored until their talk on the subject was accepted at Black Hat. (PDQ wrote in a note to Vice that it is now working to address the security problem.) Why would someone create a product, put it out on the market and feel comfortable when they hear that their device is potentially putting lives at risk?
These and more questions baffle me, but one thing is imminently clear from this research on securing IoT: It has never been more important to achieve full visibility, control and awareness of IoT devices. Furthermore, analyzing their operating systems and the areas of the network they access have never been more important. Of course, I have a self-serving opinion on the matter, but when lives are put at risk from IoT devices, there is no time to sit around and wait to see what happens.