Test shows carwashes can be hacked, become weapons - Professional Carwashing & Detailing

Test shows carwashes can be hacked, become weapons

NEW YORK — A researcher tested his theory that online carwashes could attack vehicles.

NEW YORK — According to www.motherboard.vice.com, a group of security researchers found that internet-connected drive-through carwashes are vulnerable to remote hacking that would allow a hacker to control the systems and physically attack vehicles and their occupants.

One major action that hackers could take would be to close bay doors to trap vehicles inside or strike the cars as they pass underneath, the article continued.

“We believe this to be the first exploit of a connected device that causes the device to physically attack someone,” Billy Rios, the founder of Whitescope security, said.

Rios conducted the research with Jonathan Butts of QED Secure Solutions, both of whom are speaking about their findings at the Black Hat security conference in Las Vegas, Nevada.

Rios claims that he became interested in studying carwashes after he heard about an incident a few years ago where technicians misconfigured an automatic wash, resulting in the mechanical arm striking a minivan and spraying the family inside with water, the article noted; the driver damaged both the vehicle and carwash when he accelerated to escape it.

Rios and an additional researcher examined the software for a specific set of in-bay wash equipment two years ago and presented the results of the research into the system’s vulnerabilities at Kaspersky Security Summit in Mexico in 2015, the article added.

At the time, the article continued, while they believed the vulnerabilities would allow them to hijack a carwash, they were not able to test the hypothesis until this year when a touchless carwash in Washington agreed to let them use the facility for a test and using the researchers’ own pickup truck as the victim.

Although the carwash system did require a username and password to access and operate, the researchers claimed that it was easy to guess, and they also found a vulnerability in the authentication process, which would allow them to bypass it, the article stated.

They wrote a fully automated attack script that allowed them to bypass authentication, monitor when a vehicle was preparing to exit the wash and cause the exit door to strike the vehicle at the right time using only the IP address for the carwash, the article noted; they were also able to cause the door sensors to ignore the fact that a car was underneath the door.

Furthermore, the article continued, they said they would also manipulate the mechanical arm(s) of the wash to hit the vehicle or constantly spray water — despite the software-based safety mechanism that normally prevents arms from hitting cars — which would make it difficult for the vehicle occupants to escape; however, they did not attempt this during their live tests to avoid damaging the carwash arm.

“If you’re relying purely on software safety, it’s not going to work if there’s an exploit in play,” Rios said. “The only thing that’s going to work [in this scenario] is hardware safety mechanisms.”

Although the researchers filmed the tests, the carwash owner would not let them publish the video, the article added.

A spokesperson for the carwash equipment manufacturer said that the company is aware of the test and presentation Rios will deliver and is working on investigating and fixing these security concerns in the system, the article concluded.

Read the full article here.

You May Also Like

El Car Wash opens 24th, 25th locations

MIAMI — El Car Wash continues its expansion with the opening of its 24th and 25th locations in South Florida.

MIAMI — These new stores are located in Miramar and Palm Beach Gardens and represent the first express carwash locations to be built in these cities in over 10 years, according to a press release.

The company currently operates 25 carwash locations with over 25 additional sites in development across Florida and plans to significantly expand its footprint through greenfield openings and future acquisitions.

B+E helps buyer quickly close on $22M worth of carwash assets

NEW YORK — B+E helped to find and secure four new washing properties, closing on them before the end of 2022.

Autobell debuts in Greenville, S.C., market with three locations

CHARLOTTE, N.C. — Autobell Car Wash introduces three new washing locations to Greenville, Greer and Simpsonville.

Automotive Lift Institute unveils new Lifting Points Guide

CORTLAND, N.Y. — Electronic guide makes it easy to find OEM lifting point information.

Deltic Wash Force announces opening of ‘one-of-a-kind’ wash

BARRIE, Ontario, Canada — Klassic Car Wash offers both soft-touch and touch-free wash experiences.

Other Posts

Garnett Station Partners recapitalizes Flagstop Car Wash

NEW YORK — The partnership is providing growth capital for continued regional expansion.

Magnolia Wash Holdings acquires Blue Water Express Wash

TALLAHASSEE, Fla. — The express carwash operator commemorates the three new locations in Tallahassee with a ribbon-cutting event and special promos.

Tidal Wave Auto Spa celebrates new opening in South Carolina

THOMASTON, Ga. — The company opens its 13th location in the state.

Tommy’s Express Car Wash named No. 1 Smartest-Growing Franchise

HOLLAND, Mich. — The brand has its foot on the gas to open 60-120 carwashes per year.