Cyberattacks on Car Washes

The height of the information security Summer convention season is coming to a close. The big buzz in the media was the voting machine hacking at DEFCON. I also wrote about Broadpwn here on Cylance’s blog, which was presented at Black Hat USA 2017. Here’s an interesting exploit that you may have missed if you didn’t read July 28th’s This Week in Security blog: car washes can be cyberattacked!

When I was a toddler, my parents told me a story: They took me through a car wash and I was absolutely terrified. The massive flaps that surrounded the windshield made it look as if the car we were in was being attacked by octopuses worthy of an old Japanese horror flick.

But that was in 1986, and very few people outside of academia or the military had Internet access. There certainly was no way for someone to acquire control of the car wash without physically being there. I really had nothing to worry about.

Turns Out, Car Washes Are Scary in 2017

We’re now well into the 21st century. Not only can cars be cyberattacked, but also the machines that clean them. Billy Rios of Whitescope, and Jonathan Butts of the IFIP Working Group on Critical Infrastructure Protection found an easy exploit in PDQ LaserWash® systems. The LaserWash systems they researched have default passwords and have an ARM-based Windows CE implementation that Microsoft stopped supporting in 2013.

So what’s the worst that can happen, you might ask. Might a car get lots of warm water but no soap? Alas, what Rios and Butts found was much worse. They found they could open and close the car wash bay doors on command, which could not only significantly damage a vehicle, but also the people inside of it.

“We’ve written an (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Kim Crawley. Read the original post at: Cylance Blog