Vulnerabilities in Car Washes

Articles about serious vulnerabilities in IoT devices and embedded systems are now dime-a-dozen. This one concerns Internet-connected car washes:

A group of security researchers have found vulnerabilities in internet-connected drive-through car washes that would let hackers remotely hijack the systems to physically attack vehicles and their occupants. The vulnerabilities would let an attacker open and close the bay doors on a car wash to trap vehicles inside the chamber, or strike them with the doors, damaging them and possibly injuring occupants.

Posted on August 1, 2017 at 5:47 AM • 7 Comments

Comments

albertAugust 1, 2017 4:36 PM

Yeah, it's funny...until someone gets hurt, or worse.

Can someone out there tell me why in the hell automated systems allow remote -operation-?

Perhaps this explains it:

"...Gerald Hanrahan of PDQ wrote. "This includes ensuring that the systems are behind a network firewall, and ensuring that all default passwords have been changed. Our technical support team is standing ready to discuss these issues with any of our customers."..."

What a load of bull. Network firewalls and different passwords? Gimme a break.

What they need is a system designer who knows how to specify automatic control systems. Software-based safety systems are -not- safe, and they're certainly not fail-safe.

. .. . .. --- ....

PetroAugust 4, 2017 10:50 AM

Local gas stations went from a serial controlled out of band carwash to a networked system that sits on the store network. Suddenly the Windows 7 tablet in the store would let attendants do everything from nightly shutdown mode, to open the doors and curtains, run test washes, and even dispense extra rollers to grab car tires on the feed belt. I imagine the fact that remote support was able to do the same, these carwashes would be no problem to exploit.

albertAugust 4, 2017 11:47 AM

@Petro,

What could possibly go wrong?

Even without exploitation...

. .. . .. --- ....

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.