Posted on July 28, 2017 at 12:44 PM
In recent years, due to security problems found in Internet-enabled medical equipment and cars, the awareness of the safety risks of connected devices has been raised. Unfortunately, the potential harm isn’t found in these fields only.
A group of security researchers discovered vulnerabilities in internet-connected car washes that let hackers remotely hijack the systems and physically attack vehicles and people inside them. These vulnerabilities allow the hackers to open and close the door of the car wash in question and trap vehicles inside or strike them with doors, damaging the vehicles and possibly injuring people.
Billy Rios believes that this is the first situation where a connected device allows a device to physically attack and injure someone. The founder of Whitescope security conducted the research alongside Johnatan Butts of QED Secure Solutions. Their plan is to discuss their findings at the Black Hat security conference in Las Vegas this week.
Rios was behind the exposing of many security problems over the years, including the drug infusion pumps that deliver medicine to hospital patients, airport x-ray machines supposed to detect weapons and building systems that have control of electronic door lock and alarm systems.
Rios focused on the PDQ LaserWash this time, which is a fully-automated car wash system that operates through a mechanical arm. These type of car washes are popular in the US since they don’t require attendants to operate. In most of the facilities, doors are programmed to open and close and there is a touchscreen menu which lets drivers choose how they want their car to be cleaned without any workers involved.
The systems run on Windows CE and have a built-in web server that lets technicians configure and monitor them over the internet. And that’s where the problem is.
Rios and McCorkle studied the PDQ software two years ago and delivered their findings of vulnerabilities at the Kaspersky Security Summit in Mexico in 2015. They believed that these vulnerabilities would let them hijack a car wash system, but weren’t able to test their theory until this year. A facility in Washington state agreed to cooperate, and the researchers’ own pickup truck was used as the victim.
Even though PDQ system requires a username and password in order to access them online, the default password can be easily guessed, the researchers say.
They wrote a completely automated attack script that skirts authentication, monitors when a vehicle is getting ready to exit the wash chamber and make the exit door to hit the vehicle at the relevant time.
Although infrared sensors detected something was in a door’s path to prevent this from happening, the researchers managed to cause the system to disregard the sensors. They could also manipulate the mechanical arm to hit the vehicle or blow water continuously, making it difficult for a trapped occupant to exit the car.
A spokesperson for PDQ stated in an email that it is working on investigating and fixing the security issues with the system.