PDQ LaserWash automatic car washEnlarge Photo
As the internet of things truly begins to come online, many have taken on the responsibility to exploit hacks before potential to harm is done to others. This time, it's something as harmless as an automatic car wash.
However, with the right hacking skills, it turns out an automatic car wash can be pretty harmful. Vice reports a group of security researchers has identified multiple vulnerabilities in automatic car wash systems, specifically in PDQ LaserWash units. "We believe this to be the first exploit of a connected device that causes the device to physically attack someone," Billy Rios, founder of Whitescope security and one of the researchers on the project, said.
The laser wash units are popular because they don't require an attendant on site. Instead, the entire operation is carried out via software and programs over a built-in web server that allows technicians to configure and monitor them over the internet. Rios exposed the vulnerabilities two years ago, but recently a facility in Washington state agreed to participate and see if the threats were real. Long story short: they are very real.
The researchers were easily able to bypass passwords and find a vulnerability in the authentication process. From there, they wrote a fully automated attack script that monitors when the vehicle is preparing to exit the wash bay and strike the car with the exit door automatically. Further, a hacker can send commands to close both doors to the wash bay at once and trap the vehicle and occupants inside, or an attacker could even send commands to open and close the doors on a vehicle countless times.
It gets worse; an attacker could also gain control of the mechanical arm that sprays wash chemicals and water on the vehicle. For example, researchers said an attacker could spew water continuously at the car to make it nearly impossible for someone to flee from the wash bay. Although the systems have safety guards against much of this—such as infared sensors to avoid striking objects—the new code easily bypassed all of it.
To be clear, this hasn't actually occurred to an innocent car wash customer, but Rios and other researchers plan to submit their findings to the U.S. Department of Homeland Security and will release their own report to follow.
Following the successful hack by the researchers, PDQ says it's working to beef up its security and fix issues within its system.