BLACK HAT USA – Hackers turn car washing machines in a mortal trap

BLACK HAT USA – Experts show how hackers can cause physical damage to vehicles and injure drivers by remotely hacking a connected car washing machines.

What about hacking into Internet-connected car wash machines?

It is a scarring scenario, hackers from anywhere in the world could transform car washing machines into death traps.

In a talk at the Black Hat 2017 conference in Las Vegas, the popular hacker Billy Rios, founder of security shop Whitescope, and Jonathan Butts, committee chair for the IFIP Working Group on Critical Infrastructure Protection, demonstrated how to compromise widely used control systems for car washing machines. The experts hacked: the Laserwash series manufactured by PDQ.

The Laserwash systems can be remotely controlled via a web-based user interface:

The control system is an embedded WindowsCE computer powered by an ARM-compatible processor.

As you know, Microsoft no longer provides security updates for this specific OS, this means that hackers can exploit known vulnerabilities to remotely execute code on the system and fully compromise it.

Another possibility for attackers consists in the exploitation of the lack of secure installs, for example, the security duo had found a suitable car wash exposed online with the default password 12345. Once logged in from their browser, they were given full control of the system with serious consequences.

“Car washes are really just industrial control systems. The attitudes of ICS are still in there,” Rios said. “We’ve written an exploit to cause a car wash system to physically attack; it will strike anyone in the car wash. We think this is the first exploit that causes a connected device to attack someone.”

The duo presented to the audience how they managed to bypass the safety sensors on the car wash doors to close them on a car entering the washer. Of course, the hackers can conduct more destructive attacks controlling the entire car washing machine, the can control the bay doors and use them to either lock the vehicle in or strike it and its occupants. Hackers can also take control of the robotic washing arm and hit the vehicle and its occupants.

“We controlled all the machinery inside the car wash and could shut down the safety systems,” he said. “You could set the roller arms to come down much lower and crush the top of the car, provided there was not mechanical barriers in place.”

The experts reported their findings to PDQ in February 2015, but they received a reply from the company only when their talk was accepted for Black Hat, then the manufacturer turned out that it wasn’t possible to patch against such kind of attacks.

PDQ alerted its customers and urged them to change their default password or protect the car washing machines with network appliances that will filter incoming traffic.

The ICS-CERT issued a security advisory on Thursday, warning of the presence of the vulnerabilities in several models of PDQ’s LaserWash, Laser Jet and ProTouch automatic car wash systems.

“Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access to the affected system and to issue unexpected commands to impact the intended operation of the system.” states the CERT.

Below the list of recommendations for the users:

PDQ recommends that users apply the following controls:

Always make sure any PDQ equipment is not accessible from the Internet; it should be behind a secure firewall.
Whenever a machine or router is received and installed, always change the default password from the factory settings to a new password unique to the machine. If an existing site is still using the factory default passwords on a machine or router, immediately change the default password to a new, unique, strong password.
Always set up the system network (router or Wi-Fi) with its security features enabled such that they require a username and password to be able to access the machine network.
Do not set up the site router with “port forwarding” enabled. This can effectively expose the system to the Internet and may permit an unauthorized person to reach the machine login screen.
Do not share passwords or write them down in an accessible place where unauthorized users may find them.

NCCIC/ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – (car washing machines, hacking)

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.