Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Hackin' At The Car Wash, Yeah
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
9/28/2016 | 10:12:16 AM
Re: Online security while travelling
VPNs are a must-have in public WiFi, for sure. 
User Rank: Ninja
9/28/2016 | 10:04:37 AM
Online security while travelling
Yeah so good on me that I always use vpn server while I travel. And that does not only include overseas travel, I deploy purevpn, my vpn server, no matter if I am going to a restaurant or trainstation drive thru. The reason being these are the hotspot places which have pretty high data hacking ratio since hackers are always on the look outs for places like these. 
User Rank: Ninja
2/27/2015 | 9:30:05 AM
Re: Perspectives from the CW industry
Brian Krebs did a peice on this back in June 2014 "Card Wash: Card Breaches at Car Washes" and the very first thing I think these companies should do is hire someone who actually understands the technology and how it is configured and how it works. Second, they should change the default passwords to the PCANywhere and LogMeIn software built into those systems and insist those passwords are changed regularly and not hard-coded. Third, keep the OS and applications updated and patched, because when you put all of that together and just let hang out on the Internet you're begging for trouble.
User Rank: Apprentice
2/23/2015 | 7:13:05 PM
Perspectives from the CW industry
I'm in the CW business as a tech for a manufacturer (not PDQ). Some things to keep in mind here.

1. The CW industry is very fragmented and proprietary.  A lot of the hardware and software is very proprietary to manufacturer, and very often site specific.  So any hacker gaining access to one system is going to have to spend some time learning what does what in terms of actually controlling the hardware.  For some manufacturers, this will be easier, for others, a hacker is more likely to do damage by accident, than on purpose. 

2. Automatic car washes with web interfaces are still not the majority of that type of equipment in the US.  Most washes are run for 10, 15 years or more and there are a lot of washes still in existance from the late 90s and early 2000s. 

3. One thing I've learned is that many car wash owners don't want to pay for or deal with security.  A lot of these are businesses owned by people who think they will build the site, then go down and pick up their quarters once a week, maybe order soap once in awhile and that's it. It is, quite literally, for a good chunk of the car wash sites, a side business for people who have full time jobs elsewhere.  For some of these guys, it doesn't matter what security the manufacturers build in to the systems, owners will do things like not change passwords from default (even when told to) or will change them to be simple stuff.  So any security regulation aimed solely at the manufacturers will fail if it doesn't take owners into account. 

4. A lot of the current network security flaws at car washes are a direct result of car wash owners refusing to use higher end equipment and hire competent people to install and manage their networks. They're using consumer level routers and modems with default passwords. It makes my job easier when they do use default passwords, but it's a glaring security flaw that many refuse or are too lazy to fix, despite being told to (and being a Payment Card Industry requirement on sites that take credit card). 


I honestly think that the biggest threat of malicious hacking of a car wash to cause damage is not going to come from outside the industry, but is inside the industry, from things like competitors and disgruntled employees. 
User Rank: Ninja
2/23/2015 | 11:26:16 AM
Re: Hackin' At The Car Wash, Yeah
Or slapped around by those brushes! But think of the upside - if you drive through the car wash in a convertible with the top down, as a friend of mine did many years ago, you can get a free bath and blow dry afterwards.
User Rank: Ninja
2/21/2015 | 10:37:22 AM
Re: Hackin' At The Car Wash, Yeah
Someone could get soaped to death.
User Rank: Apprentice
2/20/2015 | 5:33:11 PM
Re: Hackin' At The Car Wash, Yeah
Pretty scary. Who would ever want to hurt someone at a car wash? There are some pretty insane people out there!
User Rank: Strategist
2/20/2015 | 3:22:37 PM
Re: Car wireless
Dr. T., here is a real doozy, forget distracted drivers.   Cars are becoming more autonomous and relying less on humans for decisions - think of features like collision detection with automatic braking.  Hackers have already proven they can access and control the instrument panel wirelessly through built-in wireless adapters.  With this level of intrusion, rogue modification of features e.g. from auto-braking  to auto-accelerate no longer seems far fetched.  Yes, there is a lot more in the horizon...  
User Rank: Strategist
2/20/2015 | 3:07:24 PM
Re: Connectivity spells vulnerability, software lockdown is only a start
I agree and would take it a step further.  There is a role for regulation to every product that has a 'brain' (some processor running firmware), including all consumer devices.  I say so because such products are potential agents of evil.  For example, it is not difficult to imagine a safe sonic emitting toy like the furby in the wrong hands 'tuned' to negatively impact an implantable medical device like pacemakers or cardioverter-defibrillators long feared to be susceptible to sonic emissions.

 I think Billy Rios is approaching this from the angle of product manufacturers having to anticipate the criminal psyche  and defending against it.  That would be a tall order if at all possible.  However, it is reasonable to expect manufacturers to ensure every product they put out to the public operate as originally intended or fail predictably.  To achieve this all manufacturers need to do is assure only certified firmware run in the product and secure chips are available to provide just such assurance.  Regulation can bring this to reality if manufacturers are held accountable when products become direct or contributing agents to human safety or public harzards.


User Rank: Strategist
2/20/2015 | 2:25:36 PM
Re: Have anyone of the reader here deployed any changes into production?
Changes are deployed into production system all the times.  You don't hear of airport shutting down because they need to update firmware in air traffic control or baggage systems, you don't hear of city blackouts because the smart grid systems need updates and/or repair, United and Continental airlines merged a few years back without taking (much) break from flights or bookings, etc., etc.  I think a better questions is were the systems designed to accommodate changes e.g. for the car wash, was it designed to accommodate secure local and remote interraction in operation and maintenance?  

Forethought in security has historically been associated only with large and/or critical systems or products and everything else receives security treatment, if any, as an afterthought.  This model worked in the past because systems and products lived in their own islands.  With the ever growing connectedness in the new world, there is no choice but to make security part of the design and development process of every system or products.
Page 1 / 2   >   >>

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-09-24
The secp256k1-js package before 1.1.0 for Node.js implements ECDSA without required r and s validation, leading to signature forgery.
PUBLISHED: 2022-09-24
Nepxion Discovery is a solution for Spring Cloud. Discover is vulnerable to SpEL Injection in discovery-commons. DiscoveryExpressionResolver’s eval method is evaluating expression with a StandardEvaluationContext, allowing the expression to reach and interact with Java classes suc...
PUBLISHED: 2022-09-24
Nepxion Discovery is a solution for Spring Cloud. Discovery is vulnerable to a potential Server-Side Request Forgery (SSRF). RouterResourceImpl uses RestTemplate’s getForEntity to retrieve the contents of a URL containing user-controlled input, potentially resulting in Information...
PUBLISHED: 2022-09-24
Jodit Editor is a WYSIWYG editor written in pure TypeScript without the use of additional libraries. Jodit Editor is vulnerable to XSS attacks when pasting specially constructed input. This issue has not been fully patched. There are no known workarounds.
PUBLISHED: 2022-09-24
Besu is a Java-based Ethereum client. In versions newer than 22.1.3 and prior to 22.7.1, Besu is subject to an Incorrect Conversion between Numeric Types. An error in 32 bit signed and unsigned types in the calculation of available gas in the CALL operations (including DELEGATECALL) results in incor...