Hackin At The Car Wash, Yeah

  /     /     /  
Publicated : 22/11/2024   Category : security


Hackin At The Car Wash, Yeah


Drive-through car washes can be hacked via the Internet, to wreak physical damage or to get a free wash for your ride.



KASPERSKY SECURITY ANALYST SUMMIT -- Cancun, Mexico -- Turns out those drive-through car washes have public Web interfaces that easily can be accessed online, and used to cause physical damage, manipulate or sabotage mechanical operations, or just score a free wash for your vehicle.
Renowned security researcher Billy Rios -- who has exposed security flaws in medical systems used with X-ray machines and
carry-on baggage screening machines at TSA checkpoints
, among other critical systems -- detailed, here this week, how something as mundane as an automatic car wash is also hackable from afar. The Web interface in one popular car wash brands remote access system he studied contains weak and easily guessed default passwords, as well as other features that could allow an attacker to hijack the functions of a car wash. 
Rios decided to explore just how exposed car washes were after a friend whos an executive for a gas station chain that includes car washes, told him a story about how technicians had misconfigured one car wash location remotely. The mistake caused the rotary arm in the car wash to smash into a minivan mid-wash, spraying water into the vehicle and at the family inside. The minivan driver quickly accelerated out of the car wash, badly damaging the equipment, as well as the vehicle.
The story resonated for Rios, who has been studying public safety ramifications of industrial and other critical systems accessible via the Net. If [a hacker] shuts off a heater, its not so bad. But if there are moving parts, theyre totally going to hurt [someone] and do damage, says Rios, founder of Laconicly. I think there should be some distinction between those types of devices. Turning on and off the lights is cool, but if you create something that causes something to move, you cant allow them [the manufacturers] to voluntarily opt into security, he says.
Rios went to work looking for exposed automatic car washes online, and found them. I looked for car washes on the Net, there are a couple of hundred for PDQ LaserWash, the brand he researched, Rios says. PDQ LaserWash runs an HTTP Web server interface for remote administration and control, and the car wash equipment runs on Windows CE with an ARM processor.
You can log into it and shell into it … its just an HTTP post request, Rios says of the car wash systems. He says the problem likely isnt isolated to this particular car wash brand he investigated, either. Rios estimates that that there are a thousand or others online.
The Web interface provides the car wash owners access to the business side of the operation, and technicians the ability to adjust the mechanical parts. That interface sits on top of an ICS [industrial control system], like the stuff at a power plant. At the end of the day, it really is an ICS, he says of the engineering Web interface.
All of the calls to the web server go to DLLs, he says. If an attacker were to obtain the default password for the owner or technician and telnet in, he could ultimately wrest control of some of the car wash operations remotely, or manipulate the sales side.
You can log into it and get a shell and get a free car wash with an HTTP GET request, he says. The request is sent to the DLL, which starts the specific type of wash, whether its the premium or quick cycle, for instance. This isnt actually an exploit, its by-design functionality thats built into the device. You just have to get access to the Web interface.
An attacker could also disable the car washs sensors, or open and close the bay doors, as well as the bridge and trolley parts. There are a lot of things you can modify remotely, Rios said in his presentation here.
These machines are very dangerous, and typically, when you have these machines installed someplace, they are only able to be operated by qualified technicians. They could hurt someone. So when you start putting these things online, it changes the threat model dramatically, Rios said. The devices are physically connected together at the car wash via Modbus, a popular industrial network protocol.
The Web interface basically translates the web requests into Modbus, which operates the physical car wash equipment, he says.
Rios says securing the remote access of moving parts in machines requires locking down the software for easily exploitable flaws like SQL injection, buffer overflows, and command injection--and of course using strong authentication rather than default or hardcoded passwords.
Trey Ford, global security strategist with Rapid7, says car washes are just one example of all types of machines and systems sitting vulnerable on the Net. [Rioss] talk was not just about browsing the Internet and firing requests through the browser interface. Theres Modbus: when you start sending machine-level commands giving devices … directions, such as swing the arm out, you can fire those commands.
Its just a matter of adding a string to get a free car wash, or to close the bay doors, Ford says.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Hackin At The Car Wash, Yeah