back to article Hackers can turn web-connected car washes into horrible death traps

Forget hijacking smart light bulbs. Researchers claim they can hack into internet-connected car wash machines from the other side of the world and potentially turn them into death traps. In a presentation at the Black Hat conference in Las Vegas on Wednesday, Billy Rios, founder of security shop Whitescope, and Jonathan Butts …

  1. Captain Badmouth

    I just wait for it to rain, me.

    1. adnim Silver badge

      Meh

      I just buy a new car for cash when the old one gets dirty ;-)

      BTW.. hackers can bend anything web connected to their whim, if they are smarter than those that chose the OS, and set up the web interface.

      Q: WinCE? Isn't there a more secure OS out there that is OSS?

      A: Maybe... it depends how it is configured.

      1. Anonymous Coward
        Anonymous Coward

        Re: Meh

        Q: WinCE? Isn't there a more secure OS out there that is OSS?

        Possibly, but not even hackers will be immune to the depression and despair that sets in every time one tries to get something done with WinCE. Not so much security through obscurity, more security through induced suicide...

    2. TRT Silver badge

      Automated car wash?

      I always go for the hand job.

      1. Teiwaz Silver badge

        Re: Automated car wash?

        "I always go for the hand job."

        I know there are bikini car washing services (allegedly, as not anywhere near where I've ever lived) - but how would that work?

        Does someone get in the car with you?

        Or is it some sort of pneumatic arm that gets fitted to the door like drive-in restaurant trays (a-la Flintstones).

    3. Anonymous Coward
      Anonymous Coward

      "I just wait for it to rain, me."

      I just have the car coated with that silicate protective stuff and then explain to anyone who looks like they deserve being bored silly that the car must not be cleaned too much to prevent it being washed away.

      That's my excuse anyway.

      But, you know, hackers are one thing but the people who use powerwashes on their cars don't seem to worry about the consequences of forcing water at pressure into bearings and under rubber boots, or washing off gritty particles at such pressure that they then score the paint. It seems people are quite capable of doing damage themselves.

      1. Captain Badmouth
        Happy

        Re: "I just wait for it to rain, me."

        Over enthusiastic owners of power washers have been known to take off a respray job, too.

    4. breakfast
      Trollface

      Just invite Fran Healy over.

    5. whbjr
      Devil

      Re: "I just wait for it to rain, me."

      Clearly, you don't live in Texas - that's a long wait, here. :-) There are plenty of Laserwash locations in this area - I'm thinking of giving them a try! (With a friend's car, that is, while observing from a safe distance.)

  2. b0llchit
    Thumb Up

    Practical application

    I'm sure the BOFH was already aware of this feature and sent many tech-pushers on their merry cleansed demise.

    1. Anonymous Coward
      Anonymous Coward

      Re: Practical application

      It's a Government mandated backdoor to allow the elimination of their opposition.

      1. Anonymous Coward
        Anonymous Coward

        Re: Practical application

        Backdoors are good for elimination...

  3. Anonymous Coward
    Anonymous Coward

    Automated death traps

    R2! shut down all the car washes on the detention level!

    1. Anonymous Coward
      Anonymous Coward

      Re: Automated death traps

      Seeing how Darth likes to see his helmet washed & waxed every 6 hours, this would have BIG implications.

      1. Tom Paine Silver badge

        Re: Automated death traps

        And who wouldn't?

  4. Another User

    Spaceballs quote

    1-2-3-4-5? That's the stupidest combination I've ever heard of in my life! That's the kinda thing an idiot would have on his luggage!

    1. President Skroob

      Re: Spaceballs quote

      That's amazing. I've got the same combination on my luggage.

      1. hplasm Silver badge
        Happy

        Re: Spaceballs quote

        Oh dear! Now my senses are working overtime...

  5. Spotswood

    Add firewall. Whitelist owner IP address(es), or better, only allow connections secured by a VPN. Problem solved.

    Having an unpatched web server accepting traffic from everywhere is bad karma, regardless of the underlying OS. I mean, a web server that's a control system that really only exists so a small subset of people can access it, really doesn't need to be open to the whole world. That's just lazy and asking for trouble.

    1. Mark 85 Silver badge

      I'd lay odds that the people who own or run automatic car washes don't have a clue about tech and security. Their equipment would have been set up by a contractor or sub-contractor who probably told them to change the password but then the owner or operator promptly forgot.

      1. a_yank_lurker Silver badge

        @Mark 85 - You are assuming the contractor has a clue about security. If the manufacturers do not why would the installing contractor have a clue?

  6. Anonymous Coward
    Anonymous Coward

    You might not ever get rich.

    But let me tell you it's better than digging a ditch.

    Is it really Rose Royce? The internet has now changed that.

    What's next heating systems and a disco inferno?

    Ring my bell when people stop connecting stuff to the internet that doesn't need to be as I'd rather be stayin' alive.

    Must go, I have the 70's on the other line.

  7. Jonski
    Facepalm

    Instructions unclear

    Added firewall, spray from carwash immediately put it out

  8. Swiss Anton

    El Reg goes global

    I heard Iain Thomson, a reporter on the register.co.uk, on the BBC world service earlier today (8:30 BST), re a story about meeellliiiioooons of hackers in Vegas.

  9. TRT Silver badge

    Very useful...

    as a front to launder money from selling crystal meth.

  10. tfewster Silver badge
    Terminator

    ROTM

    FOIP (Fist Over IP) becoming a deadly reality - Now you can hit someone over the internet by controlling a device that moves. Earlier examples, like opening your victims CD tray to push their coffee into their lap, or opening a POS terminal cash drawer to punch them in the gut should have been a warning...

    1. My Alter Ego

      Re: ROTM

      Is there an RFC for FOIP? I want to make sure I implement it properly...

  11. ammabamma
    Paris Hilton

    What is this? I don't even...

    Somebody mind telling me why an industrial control system needs a built-in FaceBook, Youtube, and LinkedIn app?

    1. Phil O'Sophical Silver badge
      Coat

      Re: What is this? I don't even...

      Presumably so it can share selfies of the amaaazing Ferrari it just washed with it's lesser Fiesta-washing brethren?

    2. Anonymous Coward
      Anonymous Coward

      Re: What is this? I don't even...

      built-in FaceBook, Youtube, and LinkedIn app

      You can never be too social.

      Be glad that it doesn't Tweet or (other weird verbs) too.

  12. Anonymous Coward
    Stop

    "We are going to DIE!"

    > “You could set the roller arms to come down much lower and crush the top of the car, provided there was not mechanical barriers in place.”

    That does sound a lot scarier than having the washer doors scratch up your paint job. I'm not buying it tho. A top roller would be mostly counter-balanced so that a small lifting motor could do the job. The remaining weight would be sufficient to keep it pressed to the top of the car, but would not be enough to "crush" the top.

    Alternatively it could be over-balanced so that the motor has to drive the roller down, but that too would be a fairly weak motor.

    Over-designing the system with crushing capability would be pretty daft, and more expensive too, for no possible reason other than to crush tops.

    1. Anonymous Coward Silver badge
      Mushroom

      Re: "We are going to DIE!"

      "provided there was not mechanical barriers in place"

      mechanical barriers... like a car, perhaps?

    2. herman Silver badge

      Re: "We are going to DIE!"

      Yeah, well, don't take a ragtop through a roller wash.

  13. Anonymous Coward
    Anonymous Coward

    Wait, where is the usual ....

    "PDQ takes security of their customers very seriously. As a consequence ..."

    Those morons are really lacking, in the PR department ...

  14. Anonymous Coward
    Anonymous Coward

    reminds me of when ...

    in the days before self-serve petrol pumps, I worked at a garage in a university town to help pay for my tuition and an exotic motorcycle ... one day the professor of the psychology department, (who had just declined my entry to the honours course), came to wash his classic auto :) he stopped just beyond arm's reach to the coin slot ... had to get out to put the coins in ... got smartly back in and broke the window winding handle :) ...

  15. TheElder

    Re Stupid Password

    "1-2-3-4-5? That's the stupidest combination I've ever heard of in my life!

    Many years ago I was employed by a multinational corp. I was in an office with a bunch of text only terminals connected to a very early nationwide network. I was waiting for somebody to give me my new 4 digit employee number. While waiting I decided to see if I could do a little hacking. I sat at one of the terminals and typed 9999. Full admin privileges!

    1. Anonymous Coward
      Anonymous Coward

      Re: Re Stupid Password

      This was Seegson Corporation HQ, right?

      1. TheElder

        Re: Re Stupid Password

        Nope. It was Xerox. I worked on the computer side of things back when Jobs was stealing all he could from PARC. I was even offered a west coast management position but I don't like managing. I now do brain mapping. Turned out to be a good decision.

  16. John Smith 19 Gold badge
    FAIL

    "We controlled all..machinery inside the car wash and could shut down the safety systems,”"

    It's that last part that makes this an epic fail.

    I can (sort of) see a "test" mode where safety cutout switches are disengaged, like for an industrial dryer so it can be watched spinning while the door is open. AFAIK this needs the service engineer to be physically present and to physically do something to make it happen.

    But allowing that to be engaged remotely? Are you f**king kidding me?

    Monitor status of safety systems, yes. Change them remotely, no.

    At heart we have a lot of mfg with the attitude "Security is not important. No one cares about our stuff enough to hack it. There's no money inside it"

    They really don't get that if there's a server on the internet someone somewhere will want to know what it does and they will file that information for mischief or money.

    BTW In a spirit of fairness other no longer supported insecure embedded OSes do exist.

    1. Doctor Syntax Silver badge

      Re: "We controlled all..machinery inside the car wash and could shut down the safety systems,”"

      "Monitor status of safety systems, yes. Change them remotely, no."

      Basic rule: just because you can do something doesn't mean it's a good idea. And the converse also applies: just because it's not a good idea it doesn't mean you can't do it.

      1. John Smith 19 Gold badge
        Unhappy

        Basic rule: just because you can do something doesn't mean it's a good idea.

        "And the converse also applies: just because it's not a good idea it doesn't mean you can't do it."

        Both equally sad.

        And both equally true.

  17. Dave K Silver badge
    WTF?

    Pathetic!

    "The duo said they shared their findings with PDQ in February 2015, and kept trying to warn the biz for two years. It was only when their talk was accepted for Black Hat this year that the manufacturer replied to their emails"

    Attitudes like this absolutely stink. The company has been aware of this flaw for over 2 years and never bothered to respond, never bothered to take it seriously, or contact customers to advise them on remediation etc.

    I honestly feel that companies that treat disclosures like this in such a cavalier and dismissive matter deserve to be sued into oblivion - should anyone exploit the flaw that they've been fully aware of and have done nothing to guard against. Maybe even some legislation to make it clearly a criminal matter to ignore disclosures of security flaws would be a good idea.

  18. Neal McQ

    "PDQ spokesman Todd Klitzke said the car wash maker alerted its customers yesterday, coinciding with the conference presentation"

    This is a key failure: the manufacturer being told in 2015 and waiting until the day before the conference to notify customers.......

  19. Andy Non
    Coat

    As featured on Futurama, just rename them

    "suicide booths".

  20. Anonymous Coward
    Anonymous Coward

    Grace Jones in View to a Kill anyone?

    <EOM>

    1. Anonymous Coward
      Anonymous Coward

      Re: Grace Jones in View to a Kill anyone?

      I didn't know Grace Jones had an IoT interface....

  21. Spacedman
    FAIL

    More things to play with.

    I thought it was going to be an open VNC system. Oh the hours of fun browsing these:

    https://worldofvnc.net/browse.php?id=2774

    Not sure how many are read-only screen mirrors though. I did see one that looked like a nuclear power station...

  22. ForthIsNotDead

    If you're using WinCE to control a freaking CONTROL SYSTEM...

    ...then you really do deserve everything you get.

    These systems should be controlled by robust PLCs. Not fragile PCs. That's not to say PLCs are perfect. We know that security is an issue with a lot of PLC manufacturers, but you can mitigate that with firewalls and VPNs, but they are thousands of times more reliable in terms of just keeping running than a leaky Windows operating system.

    Add to the fact that the vendor was informed TWO YEARS ago by the black-hatters (sounds like a very white-hatty thing to do, IMO) and they clearly don't give a rats ass.

    Then they have the balls to issue a statement saying that all washer systems should be firewalled! If I had one of those systems on my forecourt, my response would be "So when are YOU coming by to put a firewall in, then? Until then, the system is switched off at the main breaker, since world + dog will now be searching the internet for your fucking web-based carwash user interface."

    You really can't make this shit up, can you?

  23. VinceH Silver badge
    Facepalm

    Optional

    Reading this article, thinking back to the various issues with cars that can be hacked, along with many other things - and the growing obsession to connect anything and everything to the internet - I'm thinking that while Stephen King got the cause wrong, he managed to predict what the future could have in store for us in Maximum Overdrive.

  24. Andy The Hat Silver badge

    Film, Book, Play?

    Does this seem like something from a Stephen King novel? "Christine - This time the car gets it." Or "Saw 173 - All Washed Up"

    Be great for getting rid of those "dirty scumbags" from the other gang with little or no evidence (if you use an anonymising system). Little bit of enticement, "Getta your big pappa's car washed here." then crush them, give them the brush off, blow them away, hang them out to dry and polish them off ...

  25. John Smith 19 Gold badge
    Unhappy

    They gave the mfg 2 years to do something about this and the mfg did FA

    Until they finally looked like they were facing public exposure to people who could use the information.

    No Mr Mfg, you didn't think this is your problem, but it became your problem the moment you decided to let your machine be connectable to the internet.

    Personally I don't want them to go out of business, but I suspect they sub-contracted this to someone else, leaving them to do the clanky, electromechanical bits (which can still be a PITA to get right).

    If I'm right they have no one in house who understood what a s**tstorm this could cause.

    But now they are about to find out.

  26. Sam Therapy
    Alert

    True story...

    Going through a car wash a few weeks ago, I said to Mrs Therapy, "I bet some genius decides to connect these things to the net and does shag all about security".

    We made it through in one piece, though. Probably give 'em a wide berth from now on.

    1. John Smith 19 Gold badge
      Unhappy

      "Probably give 'em a wide berth from now on."

      Well that's the thing.

      99% of the time going through a car wash will result in the outside of your car being cleaned and nothing else.

      Unfortunately there is no sign on them that lights up saying "Now under remote control of homicidal nutjob, get out" for the other 1%.

      Making the whole process a lot more "interesting" than most people would want it to be.

      Depending on how widely this is reported in MSM this could do a lot of damage to the mfg reputation.

      Which, given they had this information for 2 years, would be well deserved.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019