NEW YORK — According to www.motherboard.vice.com, a group of security researchers found that internet-connected drive-through carwashes are vulnerable to remote hacking that would allow a hacker to control the systems and physically attack vehicles and their occupants.
One major action that hackers could take would be to close bay doors to trap vehicles inside or strike the cars as they pass underneath, the article continued.
“We believe this to be the first exploit of a connected device that causes the device to physically attack someone,” Billy Rios, the founder of Whitescope security, said.
Rios conducted the research with Jonathan Butts of QED Secure Solutions, both of whom are speaking about their findings at the Black Hat security conference in Las Vegas, Nevada.
Rios claims that he became interested in studying carwashes after he heard about an incident a few years ago where technicians misconfigured an automatic wash, resulting in the mechanical arm striking a minivan and spraying the family inside with water, the article noted; the driver damaged both the vehicle and carwash when he accelerated to escape it.
Rios and an additional researcher examined the software for a specific set of in-bay wash equipment two years ago and presented the results of the research into the system’s vulnerabilities at Kaspersky Security Summit in Mexico in 2015, the article added.
At the time, the article continued, while they believed the vulnerabilities would allow them to hijack a carwash, they were not able to test the hypothesis until this year when a touchless carwash in Washington agreed to let them use the facility for a test and using the researchers’ own pickup truck as the victim.
Although the carwash system did require a username and password to access and operate, the researchers claimed that it was easy to guess, and they also found a vulnerability in the authentication process, which would allow them to bypass it, the article stated.
They wrote a fully automated attack script that allowed them to bypass authentication, monitor when a vehicle was preparing to exit the wash and cause the exit door to strike the vehicle at the right time using only the IP address for the carwash, the article noted; they were also able to cause the door sensors to ignore the fact that a car was underneath the door.
Furthermore, the article continued, they said they would also manipulate the mechanical arm(s) of the wash to hit the vehicle or constantly spray water — despite the software-based safety mechanism that normally prevents arms from hitting cars — which would make it difficult for the vehicle occupants to escape; however, they did not attempt this during their live tests to avoid damaging the carwash arm.
“If you’re relying purely on software safety, it’s not going to work if there’s an exploit in play,” Rios said. “The only thing that’s going to work [in this scenario] is hardware safety mechanisms.”
Although the researchers filmed the tests, the carwash owner would not let them publish the video, the article added.
A spokesperson for the carwash equipment manufacturer said that the company is aware of the test and presentation Rios will deliver and is working on investigating and fixing these security concerns in the system, the article concluded.
Read the full article here.