Slashdot Mirror

← Back to Stories (view on slashdot.org)

Also Hackable: Drive-Through Car Washes

Posted by Soulskill on from the not-everything-needs-a-web-interface dept.

PLAR writes It turns out LaserWash automatic car washes can be easily hacked via the Internet to get a free wash or to manipulate the machines that clean the cars, a security researcher has found. Billy Rios says these car washes have web interfaces with weak/default passwords which, if obtained, could allow an attacker to telnet in and use an HTTP GET request to control the machines. Rios adds that this probably isn't the only car wash brand that's vulnerable.

20 of 103 comments (clear)

  1. Embedded systems devs by Anonymous Coward · · Score: 2, Insightful

    Embedded system developers suck at all things internet, especially security.

    1. Re:Embedded systems devs by pete6677 · · Score: 2

      They haven't yet gotten used to a world where security by obscurity just doesn't work anymore.

    2. Re:Embedded systems devs by Zero__Kelvin · · Score: 3, Informative

      Do the world a favour and stay out of the Computer Security Business. 80% of CompSec is anticipating how people might use things in ways they were never intended to be used.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  2. What's a car wash? by mspohr · · Score: 4, Funny

    Car?
    Wash?

    --
    I don't read your sig. Why are you reading mine?
  3. Some things do not belong on the Internet by davidwr · · Score: 4, Insightful

    Some things just should never be put "on the Internet."

    If you must have remote access, either use a dedicated physical connection (with appropriate anti-tampering/tamper-mitigation measures of course) or tunnel them through a rock-solid VPN, but for goodness sake don't put them "on the Internet."

    Yes, companies that run industrial equipment, traffic lights, etc., I'm looking at you too.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Some things do not belong on the Internet by nitehawk214 · · Score: 4, Insightful

      So, you can't stick a credit card into the thing. And when it breaks down nobody gets alerted.

      Traffic lights: No ability to know when they are working or not, no way to synchronize lights across the city.

      Think about it. Devices need to be connected. Security isn't hard, companies need to start giving a shit about it.

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
    2. Re:Some things do not belong on the Internet by msauve · · Score: 2

      In exactly what way does requiring all information to go through a VPN (a solution offered by the GP) prevent any of those things?

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
  4. Breaking Bad car wash by MillionthMonkey · · Score: 4, Funny

    What a pity this wasn't discovered sooner... Skyler White could have asked Saul Goodman to hire his Eastern European hacker again to launder Walt's meth money through that car wash using HTTP GET requests.

  5. Online Manual by chill · · Score: 4, Informative

    A quick Google search for "laswerwash ip address" and the very first link is a PDF of the LaserWash Owner/Operator manual with LOTS of useful information.

    Things like default IP address, default port, default passwords, command sequences, etc.

    --
    Learning HOW to think is more important than learning WHAT to think.
    1. Re:Online Manual by CronoCloud · · Score: 2

      12345? That's a combination a stupid person would have on their luggage.

      Hey...that's MY password.

  6. Re:What? BMW through the brush wash? by JaredOfEuropa · · Score: 2, Insightful

    [anyoldlameexcuse] will void the warranty if they can get away with it.

    --
    If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
  7. I hope whoever did this by Anonymous Coward · · Score: 4, Funny

    comes out clean.

  8. Sudo wax off by Anonymous Coward · · Score: 5, Funny

    Sudo wax on

  9. Re:Marketing dream chasers by nitehawk214 · · Score: 2

    The thing needs to connect to payment services, report usage statistics, request consumables, report self-test results...

    But feel free to rage against "the cloud", while it continues to be that thing that lets devices talk to other devices to get work done.

    --
    I'm a good cook. I'm a fantastic eater. - Steven Brust
  10. Re:What? BMW through the brush wash? by wiredlogic · · Score: 2

    I would venture that the OP is regurgitating some dealer scare story from the days when BMW made cars with telescoping antennas that would get ripped off by the automated washers.

    --
    I am becoming gerund, destroyer of verbs.
  11. I think you miss my point by davidwr · · Score: 2

    Connectivity != Internet.

    Take traffic lights for example:

    Long before the Internet was more than just a government/university/defense-contractor environment, traffic lights had 2-way communication.

    Were they hackable? Yes, to someone with physical access to the communications wires and by the 70s or 80s, maybe to someone who had access to the telephone-company infrastructure. That meant someone in the same metro area as the traffic lights themselves. But they probably were not hackable by someone sitting in his mother's basement or in a terrorist's cave in East Elbonistan.

    That's just one example.

    My personal pet peeve is companies that allow more than "harmless" remote control of their HVAC over either the Internet or telephone without routing all remote access through a very secure gateway/vpn/whatever. It's not so bad if they allow people to remotely turn on the lights or change the HVAC from "night/energy-saving" mode to "day/occupied" mode, as that just wastes money. But if I can remotely change the temperature to 40F or 100F or remotely shut down the HVAC completely, or remotely turn OFF the lights, that's a bad idea unless strong security is in place. Over the Internet, strong security typically means a VPN or other extremely-hard-to-hack pathway in.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  12. Re:Marketing dream chasers by sjames · · Score: 2

    We have had functional automated car washes much longer than we have had "the cloud". It is apparently possible.

    My guess was that the devs were informed that the existing product WOULD be in the cloud by next week OR ELSE, no doubt because a suit somewhere read an article. And so it is.

  13. Cameras by penguinoid · · Score: 2

    Are the cameras (to prove that the damage to the car was there before the wash) also hackable?

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
  14. Re:It's that creepy chem teacher who owns it by Applehu+Akbar · · Score: 2

    The IRS has to watch for two opposing kinds of fraud. It's one thing to conceal income from a business, like those legendary mobster restaurants that keep two sets of books, with the taxman only seeing the money-losing one. IOt's quite another to make a failing business look artificially profitable, using it to 'surface' cash from some shady activity. Paying tax on the fake income is a small price to pay for being able to openly get rich off a legal-looking business, rather than (as in this example) having to bury excess cash out in the desert and having it be hijacked by Nazis.

  15. Re:Marketing dream chasers by Applehu+Akbar · · Score: 3, Funny

    My very first car wash was cloud-based. Sometimes I miscalculated and it got snowed on instead.