Students Spot Washing Machine App Flaw That Gives Out Free Cycles

Two students from the University of California at Santa Cruz (UCSC) discovered a security flaw within CSC ServiceWorks washing machines that allows for unlimited free laundry cycles.

The students, Alexander Sherbrooke and Iakov Taranenko, explained to TechCrunch that the bug allows for someone to send remote commands to the laundry machines. The vulnerability is in the API used by CSC Go, the CSC mobile app, which can be deceived into accepting commands because "security checks are done by the app on the user's device and are automatically trusted by CSC's servers."

The flaw was discovered when Sherbrooke was able to run a script of code with instructions for the machine to run a cycle even though there was $0 in his account. Much to his surprise, the laundry machine lit up, prompting the customer in question to push the start button for the cycle to begin.

But the students didn't stop there. Next, they added a hefty balance to their laundry accounts amounting to some several million dollars, which the CSC Go mobile app allowed.

Sherbrooke and Taranenko contacted CSC ServiceWorks — which doesn't have a page devoted to security and reporting bugs — through its online contact form in January of this year but never received a response. Calling the company led to the same brick wall.

Now, months later, having waited longer than the three months that researchers usually grant vendors to fix their vulnerabilities before telling the world, the pair is going into more detail about their findings. 

Dark Reading reached out to CSC ServiceWorks for comment but has not yet received a response.

On May 20, Sherbrooke and Taranenko submitted a blog post to Slug Security in what is described as a "more technical continuation" of the interview they did with TechCrunch. 

The students said they waited so long to report the bug because they wanted to make sure they were going about the process correctly.

"We don't want a multi-million dollar company throwing a lawsuit at us because we didn’t report it," they said. The UCSC students even received the help of Carnegie Mellon University's CERT Coordination Center to contact the vendor but the vendor "didn't even visit CERT's portal to view the message."

After the students reported their findings, CSC wiped their multimillion-dollar account balance, but the vulnerabilities still remain unfixed.

"Worst-case scenario, people can easily load up their wallets and the company loses a ton of money," Taranenko said. "Why not spend a bare minimum of having a single monitored security email inbox for this type of situation?"