Two University of California, Santa Cruz students uncovered a significant security vulnerability in internet-connected washing machines, potentially allowing millions of users to do laundry for free.
Unveiling a Security Flaw in Laundry Machines
Alexander Sherbrooke and Iakov Taranenko discovered the flaw in machines owned by CSC ServiceWorks. By exploiting the API of the machines' app, TechCrunch reported that the students were able to remotely start the machines without payment and manipulate laundry account balances to display millions of dollars.
Operating over a million laundry and vending machines across colleges, multi-housing communities, laundromats, and more in the US, Canada, and Europe, CSC ServiceWorks acknowledged the issue and is working to address the security lapse. The discovery highlights the growing concerns around the security of internet-connected appliances and the potential risks they pose.
CSC ServiceWorks did not respond when Sherbrooke and Taranenko reported the security vulnerability through emails and a phone call in January.
However, the students noted that despite the lack of communication, the company quietly corrected the issue by erasing the false millions in their accounts after being notified.
The students' frustration with CSC ServiceWorks' lack of response led them to share their discoveries publicly. They revealed that the company has a published list of commands that allows connection to CSC's internet-connected laundry machines.
CSC's security flaw is a stark reminder that the security of internet-connected devices, or the Internet of Things (IoT), remains unresolved.
While CSC may bear the risk for this specific vulnerability, similar lax cybersecurity practices in other instances have allowed hackers or company contractors to access strangers' security camera footage or gain control of smart plugs.
This ongoing issue highlights the need for robust security measures in the rapidly expanding IoT landscape. Security researchers frequently discover and report these vulnerabilities before they can be exploited. However, this proactive approach is ineffective if the responsible company fails to respond.
The students shared their findings with the CERT Coordination Center at Carnegie Mellon University, which assists security researchers in disclosing vulnerabilities to vendors and offering solutions to the public.
After waiting beyond the standard three months typically given to vendors to address flaws, the students now provide more details about their discovery. They presented their research at their university's cybersecurity club earlier in May.
Unanswered Concerns
Taranenko was disappointed by CSC's lack of response to their vulnerability discovery, questioning how such errors could occur in a company of its magnitude without any avenue for communication.
He highlighted the potential consequences, suggesting that individuals could exploit the flaw to add funds to their accounts, leading to significant financial losses for CSC. Taranenko proposed a simple solution: maintaining a single monitored security email inbox could mitigate such risks.
Nevertheless, the researchers maintain their determination despite CSC's silence. Taranenko expressed willingness to invest time in contacting their help desk, believing it could assist the company in resolving its security concerns.
He highlighted the satisfaction derived from conducting real-world security research, contrasting it with the simulated competitions typically encountered.
Related Article : DDoS Assault Paralyzes Cambridge, Other UK Universities' Janet Network, Causing Widespread Disruption