Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Hackin' At The Car Wash, Yeah
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
9/28/2016 | 10:12:16 AM
Re: Online security while travelling
VPNs are a must-have in public WiFi, for sure. 
User Rank: Ninja
9/28/2016 | 10:04:37 AM
Online security while travelling
Yeah so good on me that I always use vpn server while I travel. And that does not only include overseas travel, I deploy purevpn, my vpn server, no matter if I am going to a restaurant or trainstation drive thru. The reason being these are the hotspot places which have pretty high data hacking ratio since hackers are always on the look outs for places like these. 
User Rank: Ninja
2/27/2015 | 9:30:05 AM
Re: Perspectives from the CW industry
Brian Krebs did a peice on this back in June 2014 "Card Wash: Card Breaches at Car Washes" and the very first thing I think these companies should do is hire someone who actually understands the technology and how it is configured and how it works. Second, they should change the default passwords to the PCANywhere and LogMeIn software built into those systems and insist those passwords are changed regularly and not hard-coded. Third, keep the OS and applications updated and patched, because when you put all of that together and just let hang out on the Internet you're begging for trouble.
User Rank: Apprentice
2/23/2015 | 7:13:05 PM
Perspectives from the CW industry
I'm in the CW business as a tech for a manufacturer (not PDQ). Some things to keep in mind here.

1. The CW industry is very fragmented and proprietary.  A lot of the hardware and software is very proprietary to manufacturer, and very often site specific.  So any hacker gaining access to one system is going to have to spend some time learning what does what in terms of actually controlling the hardware.  For some manufacturers, this will be easier, for others, a hacker is more likely to do damage by accident, than on purpose. 

2. Automatic car washes with web interfaces are still not the majority of that type of equipment in the US.  Most washes are run for 10, 15 years or more and there are a lot of washes still in existance from the late 90s and early 2000s. 

3. One thing I've learned is that many car wash owners don't want to pay for or deal with security.  A lot of these are businesses owned by people who think they will build the site, then go down and pick up their quarters once a week, maybe order soap once in awhile and that's it. It is, quite literally, for a good chunk of the car wash sites, a side business for people who have full time jobs elsewhere.  For some of these guys, it doesn't matter what security the manufacturers build in to the systems, owners will do things like not change passwords from default (even when told to) or will change them to be simple stuff.  So any security regulation aimed solely at the manufacturers will fail if it doesn't take owners into account. 

4. A lot of the current network security flaws at car washes are a direct result of car wash owners refusing to use higher end equipment and hire competent people to install and manage their networks. They're using consumer level routers and modems with default passwords. It makes my job easier when they do use default passwords, but it's a glaring security flaw that many refuse or are too lazy to fix, despite being told to (and being a Payment Card Industry requirement on sites that take credit card). 


I honestly think that the biggest threat of malicious hacking of a car wash to cause damage is not going to come from outside the industry, but is inside the industry, from things like competitors and disgruntled employees. 
User Rank: Ninja
2/23/2015 | 11:26:16 AM
Re: Hackin' At The Car Wash, Yeah
Or slapped around by those brushes! But think of the upside - if you drive through the car wash in a convertible with the top down, as a friend of mine did many years ago, you can get a free bath and blow dry afterwards.
User Rank: Ninja
2/21/2015 | 10:37:22 AM
Re: Hackin' At The Car Wash, Yeah
Someone could get soaped to death.
User Rank: Apprentice
2/20/2015 | 5:33:11 PM
Re: Hackin' At The Car Wash, Yeah
Pretty scary. Who would ever want to hurt someone at a car wash? There are some pretty insane people out there!
User Rank: Strategist
2/20/2015 | 3:22:37 PM
Re: Car wireless
Dr. T., here is a real doozy, forget distracted drivers.   Cars are becoming more autonomous and relying less on humans for decisions - think of features like collision detection with automatic braking.  Hackers have already proven they can access and control the instrument panel wirelessly through built-in wireless adapters.  With this level of intrusion, rogue modification of features e.g. from auto-braking  to auto-accelerate no longer seems far fetched.  Yes, there is a lot more in the horizon...  
User Rank: Strategist
2/20/2015 | 3:07:24 PM
Re: Connectivity spells vulnerability, software lockdown is only a start
I agree and would take it a step further.  There is a role for regulation to every product that has a 'brain' (some processor running firmware), including all consumer devices.  I say so because such products are potential agents of evil.  For example, it is not difficult to imagine a safe sonic emitting toy like the furby in the wrong hands 'tuned' to negatively impact an implantable medical device like pacemakers or cardioverter-defibrillators long feared to be susceptible to sonic emissions.

 I think Billy Rios is approaching this from the angle of product manufacturers having to anticipate the criminal psyche  and defending against it.  That would be a tall order if at all possible.  However, it is reasonable to expect manufacturers to ensure every product they put out to the public operate as originally intended or fail predictably.  To achieve this all manufacturers need to do is assure only certified firmware run in the product and secure chips are available to provide just such assurance.  Regulation can bring this to reality if manufacturers are held accountable when products become direct or contributing agents to human safety or public harzards.


User Rank: Strategist
2/20/2015 | 2:25:36 PM
Re: Have anyone of the reader here deployed any changes into production?
Changes are deployed into production system all the times.  You don't hear of airport shutting down because they need to update firmware in air traffic control or baggage systems, you don't hear of city blackouts because the smart grid systems need updates and/or repair, United and Continental airlines merged a few years back without taking (much) break from flights or bookings, etc., etc.  I think a better questions is were the systems designed to accommodate changes e.g. for the car wash, was it designed to accommodate secure local and remote interraction in operation and maintenance?  

Forethought in security has historically been associated only with large and/or critical systems or products and everything else receives security treatment, if any, as an afterthought.  This model worked in the past because systems and products lived in their own islands.  With the ever growing connectedness in the new world, there is no choice but to make security part of the design and development process of every system or products.
Page 1 / 2   >   >>

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-07-06
A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an unauthenticated, remote attacker to perform a timing attack. This vulnerability is due to insufficient pro...
PUBLISHED: 2022-07-06
A vulnerability in the logging component of Cisco TelePresence Collaboration Endpoint (CE) and RoomOS Software could allow an authenticated, remote attacker to view sensitive information in clear text on an affected system. This vulnerability is due to the storage of certain unencrypted credentials....
PUBLISHED: 2022-07-06
A vulnerability in the database user privileges of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an auth...
PUBLISHED: 2022-07-06
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), and Cisco Unity ...
PUBLISHED: 2022-07-06
A vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to incorrect handling of multiple simultaneous device registrations on Cisco SSM On-Prem. ...