Security vulnerability in washing machines: free washing in laundromats possible
Students found a vulnerability in a mobile app of a US laundry chain, which enables free washing. The company is not interested.
(Image: Tero Vesalainen / Shutterstock.com)
Two university students from the University of California Santa Cruz (UC Santa Cruz) discovered a security vulnerability in washing machines from major US laundry operator CSC ServiceWorld in early 2024. This was reported by the US technology magazine TechCrunch on Friday. Exploitation of the vulnerability is said to make it possible to use over one million internet-enabled washing machines in public laundries in halls of residence and on university campuses free of charge.
The two students exploited a security vulnerability that allows commands to be sent remotely to washing machines connected to the internet. This could be a command to release the washing cycle, for example, the two students explain. One of the two students became aware of this loophole by chance when he was sitting in a laundry room with his notebook. He managed to execute a script that caused a washing machine to start a wash cycle without there being any credit on the laundry account.
The vulnerability is said to be in an API used by the CSC Go mobile app to manage accounts and pay for washing. The students discovered that CSC's servers could be tricked into accepting commands to change the account balance, for example. The security checks were carried out by the app exclusively on the student's device. They found out that this works by analyzing the network traffic that took place between the CSC Go app and CSC's servers.
Laundry account with millions of US dollars
The two students then took the possibilities to the extreme. They allegedly booked several million dollars into a laundry account.
However, reporting the vulnerability to CSC ServiceWorld turned out to be more difficult than expected. The two students sent the company several emails in January via the company's own contact form, but these went unanswered. The laundry company does not have a special reporting page for security problems. A telephone call to the company was also unsuccessful, reports TechCrunch.
The students therefore sent their findings to the CERT Coordination Center, which is based at Carnegie Mellon University (CMU). This is a reporting center for vulnerabilities, which are then forwarded to manufacturers. In addition, the security problems are analyzed there and, if necessary, corrections and instructions for solving the problem are provided.
After a waiting period of more than three months, which is usually required for the publication of security vulnerabilities, the results were first published in May at a presentation by the UC Santa Cruz Cybersecurity Club. CSC had not responded by then, but had zeroed out the students' accounts without any notification. The laundry company did nothing more. It is still possible to top up one's account and remotely unlock a CSC washing machine by exploiting the vulnerability. Only the physical pressing of the start button of the respective washing machine is then still necessary.
(olb)