Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Researchers Demo Physical Attack via Car Wash Hack

LAS VEGAS – BLACK HAT USA – Researchers have created proof-of-concept (PoC) exploits to demonstrate how hackers can cause physical damage to vehicles and injure their occupants by remotely hijacking a connected car wash.

LAS VEGAS – BLACK HAT USA – Researchers have created proof-of-concept (PoC) exploits to demonstrate how hackers can cause physical damage to vehicles and injure their occupants by remotely hijacking a connected car wash.

The attack was detailed in a presentation at the Black Hat security conference this week by WhiteScope founder Billy Rios, a researcher best known for finding vulnerabilities in medical devices and industrial control systems (ICS), and Dr. Jonathan Butts, founder of QED Secure Solutions and committee chair for the IFIP Working Group on Critical Infrastructure Protection.

The experts pointed out that automated car wash systems are essentially ICS and, just like industrial systems, they can be hacked and manipulated.

Their research has focused on LaserWash, an automated car wash which, according to its creator, PDQ Manufacturing, can “think for itself.”LaserWash car wash can be hacked remotely

Rios and Butts discovered that the web-based administration panel for the product, which is in many cases accessible directly from the Internet, has many features, including for sending email alerts and a widget for social media.

However, the more problematic issue is that both the owner and engineer accounts for the web interface are protected by weak default passwords. They also discovered that the authentication mechanism can be bypassed by a hacker.

Once they gain access to the web interface, a hacker can take control of the car wash system. The PoCs developed by the researchers show how an attacker can disable safety signals and take control of the bay doors, which can be used to either lock the vehicle in or unexpectedly strike it and its occupants. Hackers can also take control of the robotic washing arm and continuously discharge water or hit the vehicle and its occupants, the researchers said.

Rios first informed PDQ of the LaserWash vulnerabilities back in February 2015, just before disclosing his findings at Kaspersky’s Security Analyst Summit. However, the vendor ignored Rios for more than a year.

Now that Rios and Butts developed PoC exploits that demonstrate the risks in a real world scenario, PDQ has confirmed the existence of the flaws and claims it’s working on developing fixes.

Advertisement. Scroll to continue reading.

According to an advisory published by ICS-CERT on Thursday, the vulnerabilities affect several models of PDQ’s LaserWash, Laser Jet and ProTouch automatic car wash systems.

ICS-CERT warned that the flaws can be exploited remotely even by an attacker with a low skill level, and provided a series of measures recommended by the manufacturer for mitigating the threat. The steps include changing the default password and ensuring that the equipment is behind a firewall.

Related: Segway miniPRO Flaws Put Riders at Risk of Injury

Related: Industrial Robots Vulnerable to Remote Hacker Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Mike Byron has been named Chief Financial Officer (CFO) at Exabeam.

Ex-GitHub chief technology officer Mike Hanley has joined GM as CISO.

Network security and compliance assurance firm Titania has appointed Victoria Dimmick as CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.