Hacking a car wash?

News Special Projects

Just when you think you’ve heard it all when it comes to connected devices being hacked, Black Hat rolls around and makes you reconsider what you thought were the most bizarre things ever hacked.

Thoughts may immediately jump to the latest and greatest connected IoT wearable or something odd like Google Glass — both good guesses — but they’d be wrong. Chances are you would never guess, but we’ll wait while you glance up again at the title of this post.

You see, researchers Billy Rios and Jonathan Butts discovered that car washes could be hacked. OK — I know it does not sound all that exciting, but the researchers also noted that they had possibly discovered the first exploit that could cause physical harm to a person. [Ed. note: The Jeep hackers might beg to differ.]

The veteran researchers looked into the PDQ LaserWash after hearing about how a misconfigured machine hit a car with a mechanical arm and doused the occupants with water.

Like many IoT devices and machines, car washes can be filed under “Things you would never have thought needed to be online.” And like many devices, the LaserWash had default passwords that the researchers said were easy to guess.

Once inside the system, the researchers were able to find areas of manipulation including opening and closing bay doors, spraying water, and disabling the infrared sensors. Those may seem harmless, but the researchers also showed a video where they made the bay door crash on a car, which could do some serious damage to a vehicle or the people inside. If the hackers were feeling extra sassy, they could send an e-mail detailing the accident or posting it straight to Facebook.

The e-mail function could be useful for the business owners and technicians for tracking issues and usage of the car wash; I still can’t figure out why a car wash would need the ability to post to Facebook.

The researchers also noted that although they disclosed the vulnerability to the manufacturer, there is no patch as of Black Hat 2017.

The work done by Rios and Butts further highlights the need for everyone to change default passwords and think twice before connecting a device to the Internet. Although this was a test on a seemingly benign system, a car wash is a mini industrial control system that if used inappropriately could inflict some pain and suffering to innocent people.

Hacking electricity, water, and food

I hope this winds up being the weirdest thing we see hacked this week. But as they say, What happens in Vegas… actually, forget that — we’ll tell you about it on Kaspersky Daily and share it with you on Facebook.