KASPERSKY SECURITY ANALYST SUMMIT -- Cancun, Mexico -- Turns out those drive-through car washes have public Web interfaces that easily can be accessed online, and used to cause physical damage, manipulate or sabotage mechanical operations, or just score a free wash for your vehicle.
Renowned security researcher Billy Rios -- who has exposed security flaws in medical systems used with X-ray machines and carry-on baggage screening machines at TSA checkpoints, among other critical systems -- detailed, here this week, how something as mundane as an automatic car wash is also hackable from afar. The Web interface in one popular car wash brand's remote access system he studied contains weak and easily guessed default passwords, as well as other features that could allow an attacker to hijack the functions of a car wash.
Rios decided to explore just how exposed car washes were after a friend who's an executive for a gas station chain that includes car washes, told him a story about how technicians had misconfigured one car wash location remotely. The mistake caused the rotary arm in the car wash to smash into a minivan mid-wash, spraying water into the vehicle and at the family inside. The minivan driver quickly accelerated out of the car wash, badly damaging the equipment, as well as the vehicle.
The story resonated for Rios, who has been studying public safety ramifications of industrial and other critical systems accessible via the Net. "If [a hacker] shuts off a heater, it's not so bad. But if there are moving parts, they're totally going to hurt [someone] and do damage," says Rios, founder of Laconicly. "I think there should be some distinction between those types of devices. Turning on and off the lights is cool, but if you create something that causes something to move, you can't allow them [the manufacturers] to voluntarily opt into" security, he says.
Rios went to work looking for exposed automatic car washes online, and found them. "I looked for car washes on the Net, there are a couple of hundred" for PDQ LaserWash, the brand he researched, Rios says. PDQ LaserWash runs an HTTP Web server interface for remote administration and control, and the car wash equipment runs on Windows CE with an ARM processor.
"You can log into it and shell into it … it's just an HTTP post request," Rios says of the car wash systems. He says the problem likely isn't isolated to this particular car wash brand he investigated, either. Rios estimates that that there are a thousand or others online.
The Web interface provides the car wash owners access to the business side of the operation, and technicians the ability to adjust the mechanical parts. "That interface sits on top of an ICS [industrial control system], like the stuff at a power plant. At the end of the day, it really is" an ICS, he says of the engineering Web interface.
All of the "calls" to the web server go to DLLs, he says. If an attacker were to obtain the default password for the owner or technician and telnet in, he could ultimately wrest control of some of the car wash operations remotely, or manipulate the sales side.
"You can log into it and get a shell and get a free car wash" with an HTTP GET request, he says. The request is sent to the DLL, which starts the specific type of wash, whether it's the premium or quick cycle, for instance. "This isn't actually an exploit, it's by-design functionality that's built into the device. You just have to get access to the Web interface."
An attacker could also disable the car wash's sensors, or open and close the bay doors, as well as the bridge and trolley parts. "There are a lot of things you can modify" remotely, Rios said in his presentation here.
"These machines are very dangerous, and typically, when you have these machines installed someplace, they are only able to be operated by qualified technicians. They could hurt someone. So when you start putting these things online, it changes the threat model dramatically," Rios said. The devices are physically connected together at the car wash via Modbus, a popular industrial network protocol.
The Web interface basically translates the web requests into Modbus, which operates the physical car wash equipment, he says.
Rios says securing the remote access of moving parts in machines requires locking down the software for easily exploitable flaws like SQL injection, buffer overflows, and command injection--and of course using strong authentication rather than default or hardcoded passwords.
Trey Ford, global security strategist with Rapid7, says car washes are just one example of all types of machines and systems sitting vulnerable on the Net. "[Rios's] talk was not just about browsing the Internet and firing requests through the browser interface. There's Modbus: when you start sending machine-level commands giving devices … directions, such as 'swing the arm out,' you can fire those commands."
It's just a matter of adding a string to get a free car wash, or to close the bay doors, Ford says.