‘Yes, Your Car Wash Is On Facebook’

Looking in one of the more obscure corners of the web, Billy Rios discovered how to hack automated car wash equipment.

CANCUN–When (or if) people think about the security of the devices they interact with and use on a daily basis, the machines that run their local car wash probably aren’t high up on that list. But, like everything else with a computer for a brain these days, those machines are connected to the Internet. And Billy Rios can hack them.

Rios has spent years pulling apart the innards of all kinds of automation equipment, mostly in the ICS and SCADA realms. But now that TVs, parking meters, dishwashers and everything else under the sun comes with an embedded Web server and other potential targets, he has begun having a look at what surprises those devices hold, as well. Looking in one of the more obscure corners of the web, he discovered automated car wash equipment online.

The device he researched has a considerable attack surface. The device was running a version of Windows CE on an ARM processor and after a bit of poking around, Rios found that it also had Telnet enabled and a default five-character password and default username.

“If you know that default username and default password you can do a lot of interesting things,” Rios said in a talk at the Kaspersky Lab Security Analyst Summit here Tuesday. “You car wash can send you emails and yes, your car wash is on Facebook, too.”

The car wash device controls the mechanisms that wash the top and bottom of a car and by sending special POST requests to the device, an attacker could cause some mischief, such as changing the kind of wash a car is getting. But more seriously, if an attacker was able to access the device, he also could disable the safety sensors on the back and front doors of the wash bay, which prevent them from coming down on a person or vehicle.

The problem isn’t limited to one manufacturer or one industry or one kind of device. Lack of security in Internet-enabled devices is spread across the board.

“Remote access changes your threat model. But to be honest, I don’t think we can trust the makers,” Rios said, referring to manufacturers of all sorts of gear with embedded computers and remote access capabilities. “The people who made that car wash won’t understand any of things we just talked about, like SQL injection or buffer overflows. We’re going to see this in other IoT places as well.”

Security researchers have been turning their attention to the growing crop of non-PC devices that contain computers, WiFi, Bluetooth and other capabilities, and what they’re finding in terms of security controls is typically pretty bad. Many of companies rushing to Internet-enable everything they make aren’t spending a lot of time thinking about the security implications of what they’re doing, but the attackers are.

“It’s asymmetric. The knowledge in attacking these things is very high and it’s very low in defending,” Rios said.

Suggested articles