Vulnerabilities / Threats
2/19/2015
04:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Hackin' At The Car Wash, Yeah

Drive-through car washes can be hacked via the Internet, to wreak physical damage or to get a free wash for your ride.

KASPERSKY SECURITY ANALYST SUMMIT -- Cancun, Mexico -- Turns out those drive-through car washes have public Web interfaces that easily can be accessed online, and used to cause physical damage, manipulate or sabotage mechanical operations, or just score a free wash for your vehicle.

Renowned security researcher Billy Rios -- who has exposed security flaws in medical systems used with X-ray machines and carry-on baggage screening machines at TSA checkpoints, among other critical systems -- detailed, here this week, how something as mundane as an automatic car wash is also hackable from afar. The Web interface in one popular car wash brand's remote access system he studied contains weak and easily guessed default passwords, as well as other features that could allow an attacker to hijack the functions of a car wash. 

Rios decided to explore just how exposed car washes were after a friend who's an executive for a gas station chain that includes car washes, told him a story about how technicians had misconfigured one car wash location remotely. The mistake caused the rotary arm in the car wash to smash into a minivan mid-wash, spraying water into the vehicle and at the family inside. The minivan driver quickly accelerated out of the car wash, badly damaging the equipment, as well as the vehicle.

The story resonated for Rios, who has been studying public safety ramifications of industrial and other critical systems accessible via the Net. "If [a hacker] shuts off a heater, it's not so bad. But if there are moving parts, they're totally going to hurt [someone] and do damage," says Rios, founder of Laconicly. "I think there should be some distinction between those types of devices. Turning on and off the lights is cool, but if you create something that causes something to move, you can't allow them [the manufacturers] to voluntarily opt into" security, he says.

Rios went to work looking for exposed automatic car washes online, and found them. "I looked for car washes on the Net, there are a couple of hundred" for PDQ LaserWash, the brand he researched, Rios says. PDQ LaserWash runs an HTTP Web server interface for remote administration and control, and the car wash equipment runs on Windows CE with an ARM processor.

"You can log into it and shell into it … it's just an HTTP post request," Rios says of the car wash systems. He says the problem likely isn't isolated to this particular car wash brand he investigated, either. Rios estimates that that there are a thousand or others online.

Source: Billy Rios, Laconicly
Source: Billy Rios, Laconicly

The Web interface provides the car wash owners access to the business side of the operation, and technicians the ability to adjust the mechanical parts. "That interface sits on top of an ICS [industrial control system], like the stuff at a power plant. At the end of the day, it really is" an ICS, he says of the engineering Web interface.

All of the "calls" to the web server go to DLLs, he says. If an attacker were to obtain the default password for the owner or technician and telnet in, he could ultimately wrest control of some of the car wash operations remotely, or manipulate the sales side.

"You can log into it and get a shell and get a free car wash" with an HTTP GET request, he says. The request is sent to the DLL, which starts the specific type of wash, whether it's the premium or quick cycle, for instance. "This isn't actually an exploit, it's by-design functionality that's built into the device. You just have to get access to the Web interface."

An attacker could also disable the car wash's sensors, or open and close the bay doors, as well as the bridge and trolley parts. "There are a lot of things you can modify" remotely, Rios said in his presentation here.

"These machines are very dangerous, and typically, when you have these machines installed someplace, they are only able to be operated by qualified technicians. They could hurt someone. So when you start putting these things online, it changes the threat model dramatically," Rios said. The devices are physically connected together at the car wash via Modbus, a popular industrial network protocol.

The Web interface basically translates the web requests into Modbus, which operates the physical car wash equipment, he says.

Rios says securing the remote access of moving parts in machines requires locking down the software for easily exploitable flaws like SQL injection, buffer overflows, and command injection--and of course using strong authentication rather than default or hardcoded passwords.

Trey Ford, global security strategist with Rapid7, says car washes are just one example of all types of machines and systems sitting vulnerable on the Net. "[Rios's] talk was not just about browsing the Internet and firing requests through the browser interface. There's Modbus: when you start sending machine-level commands giving devices … directions, such as 'swing the arm out,' you can fire those commands."

It's just a matter of adding a string to get a free car wash, or to close the bay doors, Ford says.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
ODA155
50%
50%
ODA155,
User Rank: Ninja
2/27/2015 | 9:30:05 AM
Re: Perspectives from the CW industry
Brian Krebs did a peice on this back in June 2014 "Card Wash: Card Breaches at Car Washes" and the very first thing I think these companies should do is hire someone who actually understands the technology and how it is configured and how it works. Second, they should change the default passwords to the PCANywhere and LogMeIn software built into those systems and insist those passwords are changed regularly and not hard-coded. Third, keep the OS and applications updated and patched, because when you put all of that together and just let hang out on the Internet you're begging for trouble.
anon7758935109
50%
50%
anon7758935109,
User Rank: Apprentice
2/23/2015 | 7:13:05 PM
Perspectives from the CW industry
I'm in the CW business as a tech for a manufacturer (not PDQ). Some things to keep in mind here.

1. The CW industry is very fragmented and proprietary.  A lot of the hardware and software is very proprietary to manufacturer, and very often site specific.  So any hacker gaining access to one system is going to have to spend some time learning what does what in terms of actually controlling the hardware.  For some manufacturers, this will be easier, for others, a hacker is more likely to do damage by accident, than on purpose. 

2. Automatic car washes with web interfaces are still not the majority of that type of equipment in the US.  Most washes are run for 10, 15 years or more and there are a lot of washes still in existance from the late 90s and early 2000s. 

3. One thing I've learned is that many car wash owners don't want to pay for or deal with security.  A lot of these are businesses owned by people who think they will build the site, then go down and pick up their quarters once a week, maybe order soap once in awhile and that's it. It is, quite literally, for a good chunk of the car wash sites, a side business for people who have full time jobs elsewhere.  For some of these guys, it doesn't matter what security the manufacturers build in to the systems, owners will do things like not change passwords from default (even when told to) or will change them to be simple stuff.  So any security regulation aimed solely at the manufacturers will fail if it doesn't take owners into account. 

4. A lot of the current network security flaws at car washes are a direct result of car wash owners refusing to use higher end equipment and hire competent people to install and manage their networks. They're using consumer level routers and modems with default passwords. It makes my job easier when they do use default passwords, but it's a glaring security flaw that many refuse or are too lazy to fix, despite being told to (and being a Payment Card Industry requirement on sites that take credit card). 

 

I honestly think that the biggest threat of malicious hacking of a car wash to cause damage is not going to come from outside the industry, but is inside the industry, from things like competitors and disgruntled employees. 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
2/23/2015 | 11:26:16 AM
Re: Hackin' At The Car Wash, Yeah
Or slapped around by those brushes! But think of the upside - if you drive through the car wash in a convertible with the top down, as a friend of mine did many years ago, you can get a free bath and blow dry afterwards.
theb0x
100%
0%
theb0x,
User Rank: Ninja
2/21/2015 | 10:37:22 AM
Re: Hackin' At The Car Wash, Yeah
Someone could get soaped to death.
freespiritny25
50%
50%
freespiritny25,
User Rank: Apprentice
2/20/2015 | 5:33:11 PM
Re: Hackin' At The Car Wash, Yeah
Pretty scary. Who would ever want to hurt someone at a car wash? There are some pretty insane people out there!
1eustace
50%
50%
1eustace,
User Rank: Strategist
2/20/2015 | 3:22:37 PM
Re: Car wireless
Dr. T., here is a real doozy, forget distracted drivers.   Cars are becoming more autonomous and relying less on humans for decisions - think of features like collision detection with automatic braking.  Hackers have already proven they can access and control the instrument panel wirelessly through built-in wireless adapters.  With this level of intrusion, rogue modification of features e.g. from auto-braking  to auto-accelerate no longer seems far fetched.  Yes, there is a lot more in the horizon...  
1eustace
50%
50%
1eustace,
User Rank: Strategist
2/20/2015 | 3:07:24 PM
Re: Connectivity spells vulnerability, software lockdown is only a start
I agree and would take it a step further.  There is a role for regulation to every product that has a 'brain' (some processor running firmware), including all consumer devices.  I say so because such products are potential agents of evil.  For example, it is not difficult to imagine a safe sonic emitting toy like the furby in the wrong hands 'tuned' to negatively impact an implantable medical device like pacemakers or cardioverter-defibrillators long feared to be susceptible to sonic emissions.

 I think Billy Rios is approaching this from the angle of product manufacturers having to anticipate the criminal psyche  and defending against it.  That would be a tall order if at all possible.  However, it is reasonable to expect manufacturers to ensure every product they put out to the public operate as originally intended or fail predictably.  To achieve this all manufacturers need to do is assure only certified firmware run in the product and secure chips are available to provide just such assurance.  Regulation can bring this to reality if manufacturers are held accountable when products become direct or contributing agents to human safety or public harzards.

 

 
1eustace
50%
50%
1eustace,
User Rank: Strategist
2/20/2015 | 2:25:36 PM
Re: Have anyone of the reader here deployed any changes into production?
Changes are deployed into production system all the times.  You don't hear of airport shutting down because they need to update firmware in air traffic control or baggage systems, you don't hear of city blackouts because the smart grid systems need updates and/or repair, United and Continental airlines merged a few years back without taking (much) break from flights or bookings, etc., etc.  I think a better questions is were the systems designed to accommodate changes e.g. for the car wash, was it designed to accommodate secure local and remote interraction in operation and maintenance?  

Forethought in security has historically been associated only with large and/or critical systems or products and everything else receives security treatment, if any, as an afterthought.  This model worked in the past because systems and products lived in their own islands.  With the ever growing connectedness in the new world, there is no choice but to make security part of the design and development process of every system or products.
theb0x
50%
50%
theb0x,
User Rank: Ninja
2/20/2015 | 12:23:26 PM
5 Digit PIN
Most car wash systems accept a 5 digit pin for prepaid service. The first digit is usually 0.

A lot of the time punching in the ZIP code works because it is preprogrammed by the owner for use by law enforcement officials.


Brute forcing the 5 digit pin is also quite easy using a certain method I can not disclose.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/20/2015 | 11:42:18 AM
Re: Such a low-tech thing and yet so vulnerable..
True. The world has changed, you do not know in what direction you would get hit. 
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Join Dark Reading community editor Marilyn Cohodas and her guest, David Shearer, (ISC)2 Chief Executive Officer, as they discuss issues that keep IT security professionals up at night, including results from the recent 2016 Black Hat Attendee Survey.