LAS VEGAS–Researchers are continuing to find new and interesting ways to demonstrate the fragility and poor security of IoT devices, and the latest test bed is your local car wash. A weakness in the design of the software that runs a large number of automated car washes in the U.S can allow a remote attacker to take over the machinery and cause damage to a vehicle in the bay, open and close the doors, and take just about any other actions they chose.
The vulnerability was discovered by researchers Billy Rios and Jonathan Butts and the pair developed an exploit for it as well. They found the issue and tested it on a car wash system in the real world with the permission of the system’s owner. Initially, Rios had begun looking at problems with Internet-connected car washes two years ago and quickly discovered that many of them had crucial functionality exposed to the public web. His research back then was mainly focused on finding the devices and seeing what they had exposed, but this time around he and Butts went looking for vulnerabilities, and they were not disappointed.
The issue they found is in a system made by PDQ Vehicle Wash Systems, which manufacturers brushless automated car wash systems. The car wash is controlled by a software package that runs on Windows CE, an ancient OS that is no longer supported by Microsoft. It’s protected by a password that researchers were able to guess quickly and eventually Rios and Butts were able to identify a vulnerability and then write a script to exploit it. The exploit allowed them to send commands remotely to a target car wash system and force the system to open or close the bay doors, turn on the water jets, or even make one of the system’s components to hit the car.
“We believe this is the first exploit of a connected system that can cause the device to physically harm a human,” Rios said during a talk on the research at the Black Hat conference here Tuesday. “Make no mistake, this is an ICS system.”
Rios has a long history of finding weaknesses in ICS, SCADA, and other connected devices. He was one of the first researchers to raise the alarm about medical device security issues, and has also done a lot of work on industry control systems. With all of the work and testing he’s done on these systems, one of the main problems he’s run into is that there’s no good way for researchers to test most ICS or IoT devices because many of them are very expensive or inaccessible, contributing to the lack of security in the connected device world.
“There’s no mechanism for researchers to safely test these systems,” Rios said.