Also Hackable: Drive-Through Car Washes

PLAR writes It turns out LaserWash automatic car washes can be easily hacked via the Internet to get a free wash or to manipulate the machines that clean the cars, a security researcher has found. Billy Rios says these car washes have web interfaces with weak/default passwords which, if obtained, could allow an attacker to telnet in and use an HTTP GET request to control the machines. Rios adds that this probably isn't the only car wash brand that's vulnerable.

Embedded systems devs

Embedded system developers suck at all things internet, especially security.

Re:Embedded systems devs

[pete6677]

They haven't yet gotten used to a world where security by obscurity just doesn't work anymore.

Re:Embedded systems devs

[kwbauer]

Oh yes, the old "you failed because you didn't account for your product to be used in ways it was never intended to be used" reasoning. Many a good company has been bankrupted because juries have been convinced that your statement is actually logical.

Re:Embedded systems devs

[Zero__Kelvin]

Do the world a favour and stay out of the Computer Security Business. 80% of CompSec is anticipating how people might use things in ways they were never intended to be used.

Re:Embedded systems devs

[Zero__Kelvin]

.... and Anonymous Cowards are idiots who believe absurd generalizations. I've got news for you. The entire software developing world is made up mostly of people who don't understand security and such at all things internet. There are Embedded Systems Developers that know about, understand, and care about security and there are many more others who don't. Now, substitute any field with the exception of software security and its vein, and the statement still holds true.

Re:Embedded systems devs

[wolrahnaes]

This is an approach to security that I forget the specific name I've seen it referred to with but basically it's analogized to certain tasty snacks. Hard candy shell, soft creamy filling.

If someone penetrates the defenses, if someone inadvertently or intentionally opens it up wider than originally intended, or if the attacker is an insider you're hosed.

If it can be connected to a network, you can almost guarantee that at some point someone is going to try to connect it to the internet somehow, and at that point any assumptions you've made about external or inherent physical defenses can go right out the window.

Re:Embedded systems devs

[BronsCon]

80% of CompSec is anticipating how people might use things in ways they were never intended to be used.

People, in that context, means "attackers". That does not mean that tie is spent figuring out what unintended uses end users might come up with. Use as prescribed; if inflammation persists, contact your physician.

Re: Embedded systems devs

[BronsCon]

Says the AC contributing nothing to the conversation but personal insults. Bravo.

Re:Embedded systems devs

[Jack+Griffin]

I know security types like to trot out the old security through obscurity line all the time, but the simple fact is that most of the time obscurity is good enough.

Re:Embedded systems devs

[pete6677]

It's good enough, until someone discovers the obscurity and then its not so obscure anymore (or secure).

Re: Embedded systems devs

[BronsCon]

I'm not sure your credentials qualify you to make internet diagnoses of fictional diseases. I do enjoy a good troll, though, so keep at it; if it bothered me, I wouldn't reply. ;)

Or just damage cars

Seems like causing damage to cars or injuring people would be a bigger concern than free car washes. It is a room full of large automated machines after all.

Re: Or just damage cars

[jd2112]

Yes but free car washes could motivate the owners to change the damn default passwords! Not like something trivial like stealing the credit card numbers of everyone who gets a car wash.

What's a car wash?

[mspohr]

Car?
Wash?

Re:What's a car wash?

[iggymanz]

Cars and washing are nothing a slashdot neckbeard living in mom's basement need worry about

Re:What's a car wash?

[mspohr]

Thanks... I was worried that there was something that I was missing.

Some things do not belong on the Internet

[davidwr]

Some things just should never be put "on the Internet."

If you must have remote access, either use a dedicated physical connection (with appropriate anti-tampering/tamper-mitigation measures of course) or tunnel them through a rock-solid VPN, but for goodness sake don't put them "on the Internet."

Yes, companies that run industrial equipment, traffic lights, etc., I'm looking at you too.

Re:Some things do not belong on the Internet

[nitehawk214]

So, you can't stick a credit card into the thing. And when it breaks down nobody gets alerted.

Traffic lights: No ability to know when they are working or not, no way to synchronize lights across the city.

Think about it. Devices need to be connected. Security isn't hard, companies need to start giving a shit about it.

Re:Some things do not belong on the Internet

[msauve]

In exactly what way does requiring all information to go through a VPN (a solution offered by the GP) prevent any of those things?

Re:Some things do not belong on the Internet

[thegarbz]

In exactly what way does requiring all information to go through a VPN (a solution offered by the GP) prevent any of those things?

Processing overhead, installation overhead, and maintenance overhead.

Look at the summary. In most cases people couldn't be bothered setting a password, what makes you think they would setup a VPN given the option? Quite often the interfaces to these devices and some shitty tiny little 8-bit micro bolted onto the back of some ethernet or cellular chip. Coding a VPN is a bit more difficult than spitting single unencrypted numbers to a pre-programmed IP address.

And how much money is preventing someone from getting a free car wash worth?

It's just like that article the other day saying the level indication in petrol stations can be manipulated. Who cares, and how much is the fix worth compared to the cost of just looking to see if the measurement is accurate.

Re:Some things do not belong on the Internet

[msauve]

That's a lengthy strawman argument. But you still fail, the cost of a router which can do an IPSec VPN is under $40.

Re:Some things do not belong on the Internet

[thegarbz]

Are you suggesting that the vendor will double the amount of capital investment in their electronics, implement a 3rd party system for which they have little control, and retrain all their techs to setup VPNs (I work with techs for equipment like this, they are basically out of their depth if they aren't given a PC with IP address set to the correct subnet)?

Or maybe they want to maintain control, guarantee hardware support and a stable system on which to network their platform in which case you can multiply that cost by an order of about 300 per unit. No I'm not kidding. I've been between a battle of the VPN equipment before between a radio system vendor and an oil company. One specified Juniper gear due to their security requirements, the other specified Netgear due to their corporate agreements. After 9 months the decision was made to simply drop a zero on the back of the support agreement and have techs come out every 2 weeks to do things on site because agreeing on a VPN system was too hard.

I don't think most companies could buy a lightbulb for $40 let alone integrate a piece of network security infrastructure into their products for that price.

Re:Some things do not belong on the Internet

[turp182]

A security camera (powered with DVR but not web connected of course) at the entry is all that is needed.

The car wash logs should expose when it was tampered with and who via license plates (excepting a deep break that can override/clear logs, a lot of work for a car wash...).

I think the police would enjoy tracking down people hacking car washes, it would give them positive/fun visibility (local news would eat this up) and probably involve felony level charges for hacking (rather than just stealing a $10 car wash).

In the end it is risk vs. reward for someone considering this, and the risk (felony hacking for a $10 car wash) is just a non-death Darwin award in my opinion.

Of course there is just messing with the car wash without actually using it. I could see someone setting the washes to extra long and then going and paying for one... I'm not worried about safety as the machines can't move beyond certain tolerances, and driving out, even through a door, is not difficult.

Re:Some things do not belong on the Internet

[Zero__Kelvin]

Perhaps you are aware that there are banks on the internet? Every time some system that was never designed to be secure in the first place gets cracked someone always pipes up with this absurd claim, that the problem is that they connected it to the internet in the first place. That isn't the problem, and characterizing that way is absurd. They could have opted to do as you say, and that is certainly a very valid approach. It is, however, not - as you suggest - the only/right choice. They could have opted for option B and secured it, which any relatively competent software developer with an eye toward security could do quite easily by, for example, disabling password based login and only allowing certificate based authentication. It would have been easy to secure this system, and claiming that it was automatically in significant danger of being cracked simply because they put it on the internet is a cop out, and is frankly quite absurd in 2015.

The Internet of Things is coming, so we need people who understand security, and people who think that you can only achieve reasonable security by not implemeting it at all and then not connecting to anything are going to find themselves way out in the cold.

Re:Some things do not belong on the Internet

[Zero__Kelvin]

The GP doesn't get that you use a VPN by, wait for it ... being on the internet!. His solution to not having it on the internet is literally don't connect it to the Internet! That's stupid. You can use a VPN! I must have missed the detail, but how are the VPN packets going to reach the system? Oh, right. Because it's connected to the internet! That's what I'll do. I won't connect to the internet, but I'll use a VPN that uses the .. oh shit.

Re:Some things do not belong on the Internet

[nitehawk214]

That is probably the most reasonable explanation. None of the hardware was upgraded since the 90s when a weak-ass password and no way to perform updates was enough to keep people out.

Re:Some things do not belong on the Internet

[BronsCon]

You don't connect the system to the internet, you connect it to a LAN, with one of the clients on that LAN being a VPN endpoint with its own (not via the LAN) internet connection. Nothing on that LAN is on the internet, nothing on the LAN can call out to the internet, and nothing on the LAN can be accessed via the internet, save for the VPN box, which will have a much, much smaller attack surface than . And none of those devices are on the internet; the VPN simply gives you an entrypoint into the LAN via the internet. The implications are subtle, so it's understandable that you would miss them; especially in your haste to rant on teh interbewbz.

Re:Some things do not belong on the Internet

[Zero__Kelvin]

Holy shit. .... you are an idiot.

Re:Some things do not belong on the Internet

[Zero__Kelvin]

I don't think anyone is arguing that the best approach is to first set it up like an idiot and then turn around and do it the right way. This is a discussion about what the right way to do it is, not what turkey's who did it wrong should do now that security has flown the coop so to speak. In truth though, from reading the article all I see is - if an attacker had a password or could somehow get access to the web interface. That isn't much different than claiming banks are insecure because if someone got into my account they could steal my money!.

Re:Some things do not belong on the Internet

[msauve]

"Are you suggesting that the vendor will double the amount of capital investment in their electronics..."

No, I wouldn't think of blaming the vendor, when the issue is obviously that you have neither the knowledge nor skillset needed to understand how to do VPN deployments.

Re:Some things do not belong on the Internet

[BronsCon]

Why not point out how I'm wrong, then? You know, be constructive?

Wait, no, what I actually meant to post was

and you're an asshole.

Re:Some things do not belong on the Internet

[mjwx]

So, you can't stick a credit card into the thing. And when it breaks down nobody gets alerted.

Erm, you call the number on the machine or go talk to the petrol station attendant. Or you could just use cash like normal people.

Traffic lights: No ability to know when they are working or not, no way to synchronize lights across the city.

Traffic management systems are very different. These are very complex systems monitored by professionals and attended to 24/7. What the GP is saying is you dont need to connect every bloody toaster and waffle iron to the internets. One of the big reasons is they'll never be properly secured from attack.

Re:Some things do not belong on the Internet

[davidwr]

Security isn't hard

LOOOOOOOOOOOOOOOOOOOOL

When Nighthawk214 wrote that security wasn't hard, he wasn't wrong, but he was incomplete.

Security by itself isn't necessarily hard. If I want to secure data that I won't need to use without 1 business day's notice, I can just take two disks, each with a copy of the data, to my bank and put it in the safe-deposit box. Not hard at all. With a little extra effort I can encrypt each with a one-time pad and put the 4 disks in different banks.

Security with online or near-online usability requirements by a large number of people is harder/more expensive, and the more usability you want (just a few key employees at one physical location? all employees worldwide? customers too?), the harder/more expensive it can get for a given amount of security.

Yes, for some applications the level of security you need and the level of usability you need do make it a hard/expensive problem for that use case. But if you are at that point, you've probably determined that lack of security and/or lack of usability is more expensive or you wouldn't be going down this path.

The big problem I see in industry is people incorrectly assuming that it's cheaper to skimp on security than to pay for it up-front. A smaller problem is people over-doing it on security, spending $BIGBUCKS to prevent and mitigate a disaster when the actual cost of a compromise multiplied by the risk of that compromise is known to be well below $BIGBUCKS - or it would be well known if they bothered to spend a little time analyzing their particular risk environment.

Breaking Bad car wash

[MillionthMonkey]

What a pity this wasn't discovered sooner... Skyler White could have asked Saul Goodman to hire his Eastern European hacker again to launder Walt's meth money through that car wash using HTTP GET requests.

Online Manual

[chill]

A quick Google search for "laswerwash ip address" and the very first link is a PDF of the LaserWash Owner/Operator manual with LOTS of useful information.

Things like default IP address, default port, default passwords, command sequences, etc.

Re:Online Manual

[CronoCloud]

12345? That's a combination a stupid person would have on their luggage.

Hey...that's MY password.

Re:Online Manual

[140Mandak262Jamuna]

That is the password for Earth.

Re:Online Manual

[140Mandak262Jamuna]

Brain, is that you? Long time no see, Amigo. --- Pinky.

Re:Online Manual

Is there a setting for "boil"?
How about for "fricasee"?

What's the point in washing with lasers, if you can't overdo it?

Re:Online Manual

[NoKaOi]

Only thing what would make it illegal is that they have *some* security in place, it doesn't even matter how dysfunctional it is. Otherwise it would be just public service (at least by the rulebook over the other side of globe).

Why do you think that? I'm pretty sure it's still computer intrusion even if they don't know how to do anything security related. Here's a brick and mortar analogy: If somebody's front door doesn't have a lock, it's still illegal to walk in. And anyway, even if you're right, then having a password, even if it's a default password that hasn't been changed, is *some* security. Intent matters. A lot. Are you accessing their system because you're trying to do something nefarious, or because you accidentally thought it was the free WiFi from the coffee shop next door and you're just trying to check your email?

Re:What? BMW through the brush wash?

[JaredOfEuropa]

[anyoldlameexcuse] will void the warranty if they can get away with it.

I hope whoever did this

comes out clean.

Sudo wax off

Sudo wax on

At this timr of year?

[rossdee]

Who washes their car in the winter? By the time you've driven it home its dirty again.

Re:At this timr of year?

[swb]

It's no different than brushing your teeth or cleaning the dishes. They all get dirty again.

The point isn't to keep it clean, but to at least wash off some of the corrosive salt spray and grime so you don't strip the clearcoat and then the paint off.

My wife never washes her car (or not enough) and it looks like shit, with finish is dull and maybe even faded a little. I wash mine 2-3 times per week, usually before I come home and its maybe half a mile home. In all but the wettest, sloppy weather it makes it into the garage (and thus overnight) clean and not being exposed to corrosive, abrasive gunk. My car still holds a great shine, especially when its waxed.

You don't have to look very hard for a place that does all you can eat car washes and 3 times per week gets my cost down to less than $3 per wash, hand dried. And waxing your car is dead easy with spray wax. I'd guess carnuba might be slightly better, but it's a shit ton of work and spray wax seems to get you most of the way there.

Re:At this timr of year?

[Nethemas+the+Great]

Most people making slightly below the median income level or more and whom reside in the upper mid-west. Ice melt chemicals aren't the kindest thing to a car. Unlimited wash packages exist for a reason. Now it seems they just got a bit less expensive.

Re:At this timr of year?

[ArchieBunker]

The sun shines for maybe an hour and idiots are lined up at the car wash. It's gonna snow the next day anyhow so why bother?

Re:At this timr of year?

[swb]

No, fuck you.

I don't know what fantasy land you've shaped in mom's basement, but outside a tiny fraction of the US you need a car to make a living.

I figure the best and most ecological way to do this is to make the car I have last, and one of the way to make it last is to take care of it. Road salt is highly corrosive, the sand they put down turns to dust which in turn can etch the paint. Once rust starts, you can't really stop it and then you need a new car. And salt is corrosive to more than just the finish, it's corrosive to the undercarriage and mechanical systems, too.

But I suppose you think it's more ecological to just make more cars.

Re:At this timr of year?

[BronsCon]

Well, of course! They can't see the amount of water and chemicals used in that process, so it must be zero!

Re:At this timr of year?

[sexconker]

No, fuck you.

I don't know what fantasy land you've shaped in mom's basement, but outside a tiny fraction of the US you need a car to make a living.

I figure the best and most ecological way to do this is to make the car I have last, and one of the way to make it last is to take care of it. Road salt is highly corrosive, the sand they put down turns to dust which in turn can etch the paint. Once rust starts, you can't really stop it and then you need a new car. And salt is corrosive to more than just the finish, it's corrosive to the undercarriage and mechanical systems, too.

But I suppose you think it's more ecological to just make more cars.

Fuck off, shitwick.
You don't need to wash your fucking car 3 fucking times a week to prevent it from rusting out unless you live in a fucking salt mine. You're one of those aging failures who see their cars as a replacement for their underused, undersized penises.

Why on earth is it a GET request?

[Sowelu]

If you're controlling something, it should at least be a POST.

Re:Why on earth is it a GET request?

[SeaFox]

How else would you GET a free car wash?

Re:What? BMW through the brush wash?

[pete6677]

I wouldn't be surprised if you aren't joking :) BMW has their own brand of expensive washer fluid, for God's sake.

Re:At this time of year?

[ImprovOmega]

Where you live maybe. Here we had a high of 84 and a low of 51.

Re:Marketing dream chasers

[nitehawk214]

The thing needs to connect to payment services, report usage statistics, request consumables, report self-test results...

But feel free to rage against "the cloud", while it continues to be that thing that lets devices talk to other devices to get work done.

Re:What? BMW through the brush wash?

[mpoulton]

http://en.wikipedia.org/wiki/M... Yes, IIAL (but not your lawyer), and no, going to the wrong car wash doesn't void your warranty. That's silly.

It's that creepy chem teacher who owns it

[Applehu+Akbar]

He hacked the machinery to make it look as though the car wash was handling ten times the number of customers that it actually was. It even printed out fake activity reports for the IRS.

Re:It's that creepy chem teacher who owns it

[neminem]

Nitpick: by the time he owned a car wash, he wasn't actually teaching chemistry anymore (too busy at his new job. (Of owning a carwash. Totally that and nothing else.))

It is pretty funny how I think of that show every time I visit a carwash or a fried chicken joint now.

Re:It's that creepy chem teacher who owns it

[Applehu+Akbar]

The IRS has to watch for two opposing kinds of fraud. It's one thing to conceal income from a business, like those legendary mobster restaurants that keep two sets of books, with the taxman only seeing the money-losing one. IOt's quite another to make a failing business look artificially profitable, using it to 'surface' cash from some shady activity. Paying tax on the fake income is a small price to pay for being able to openly get rich off a legal-looking business, rather than (as in this example) having to bury excess cash out in the desert and having it be hijacked by Nazis.

Re:What? BMW through the brush wash?

[wiredlogic]

I would venture that the OP is regurgitating some dealer scare story from the days when BMW made cars with telescoping antennas that would get ripped off by the automated washers.

Re:What? BMW through the brush wash?

[drinkypoo]

The article has a picture of a BMW going through a brush wash. It would void the warranty. BMW says only BMW certified brushless car washes are compatible. Using unauthorized car washes will void the warranty.

Who told you that?

I think you miss my point

[davidwr]

Connectivity != Internet.

Take traffic lights for example:

Long before the Internet was more than just a government/university/defense-contractor environment, traffic lights had 2-way communication.

Were they hackable? Yes, to someone with physical access to the communications wires and by the 70s or 80s, maybe to someone who had access to the telephone-company infrastructure. That meant someone in the same metro area as the traffic lights themselves. But they probably were not hackable by someone sitting in his mother's basement or in a terrorist's cave in East Elbonistan.

That's just one example.

My personal pet peeve is companies that allow more than "harmless" remote control of their HVAC over either the Internet or telephone without routing all remote access through a very secure gateway/vpn/whatever. It's not so bad if they allow people to remotely turn on the lights or change the HVAC from "night/energy-saving" mode to "day/occupied" mode, as that just wastes money. But if I can remotely change the temperature to 40F or 100F or remotely shut down the HVAC completely, or remotely turn OFF the lights, that's a bad idea unless strong security is in place. Over the Internet, strong security typically means a VPN or other extremely-hard-to-hack pathway in.

Re:I think you miss my point

[ls671]

I didn't know caves had basements, I am still trying to imagine it.

Re:Marketing dream chasers

[sjames]

We have had functional automated car washes much longer than we have had "the cloud". It is apparently possible.

My guess was that the devs were informed that the existing product WOULD be in the cloud by next week OR ELSE, no doubt because a suit somewhere read an article. And so it is.

Re:What? BMW through the brush wash?

[140Mandak262Jamuna]

You don't know BMW. It would void a warranty if you keep their car in an unapproved or incompatible garage. Only BMW approved soda compatible soda cans are permitted in the drink holders. I would not be surprised if it has a list of approved shoes that are compatible with the damned accelerator pedals.

Cameras

[penguinoid]

Are the cameras (to prove that the damage to the car was there before the wash) also hackable?

Re:What? BMW through the brush wash?

[sexconker]

If your dealer is that big of a douchbag

It's a car dealer. Douchebag is redundant.
It's a BMW dealer. Big douchebag is an understatement.

Re:Marketing dream chasers

[Applehu+Akbar]

My very first car wash was cloud-based. Sometimes I miscalculated and it got snowed on instead.

Control Systems Security: #1 Truth

[Shoten]

Billy Rios sums things up interestingly with this sentence:

"If [a hacker] shuts off a heater, it's not so bad. But if there are moving parts, they're totally going to hurt [someone] and do damage," says Rios, founder of Laconicly.

The trick with control systems...which is what the computers controlling this car wash are...is that logical actions result in kinetic effects. And you can't reboot physics, or restore solid objects from backup.

Re:What? BMW through the brush wash?

[wolrahnaes]

Multiple BMW owner here, what the fuck are you smoking?

The limited edition "frozen" paints offered on a few M cars in recent years have very specific care instructions, but that's the nature of the beast with a true matte paint finish on a car. They don't have the protection a nice thick layer of clearcoat offers cars with normal modern paint.

Beyond those however they're just a well done normal automotive paint job. My beater 3 series is 13 years old and rarely gets washed, but when a friend got bored and washed/waxed the thing it looked like the paint was in better condition than my two year old Kia.

Nothing else on the car would really care what kind of wash you're doing other than the paint and wheels, so barring a dirty brushed wash scratching the hell out of things what possible way could you even imagine a car wash being able to void a warranty?