Millions of Public Smart Washing Machines Let Anyone Run Washing Cycles for Free, Students Find

A couple of students in California discovered a vulnerability in smart laundry machines run by CSC ServiceWorks that allowed them to wash their laundry for free. While it might not seem like a big deal, the same vulnerability affected millions of other devices worldwide.

Alexander Sherbrooke and Iakov Taranenko, students at UC Santa Cruz in California, discovered they could start a new washing cycle even if they had $0 in the account.

It turns out the vulnerability actually affected the API used by the CSC Go app. The app communicates with the servers via this API, so the students fooled the servers into accepting changes in the accounts balance in the app, even when the users made those modifications. Basically, they informed the servers that they had money in the account even if they didn’t have any.

The problem grew even more complicated when they added millions of dollars into the account, checking whether the app would realize this is not normal. According to a TechCrunch report, CSC ServiceWorks didn’t have a contact page for people to submit vulnerabilities, so they tried to go through the CERT Coordination Center at Carnegie Mellon University.

The students waited more than three months to see if the company responded or fixed the issue, but it didn’t. The company didn’t say anything in response to the submitted vulnerability, but it did wipe out the millions of dollars from the affected account.

Sherbrooke and Taranenko confirmed the vulnerability was still affecting the app and that it could be used, in theory, to give anyone free washing cycles.

A few days after the vulnerability was made public, CSC finally acknowledged the problem. “We would like to thank Mr. Sherbrooke and Mr. Taranenko for their contributions to making companies like CSC ServiceWorks and their stakeholders more secure,” said Stephen Gilbert, CSC’s vice president of marketing. “We apologize for not responding to them in a more timely manner.”

The company also said that it will be easier for researchers to submit vulnerabilities from now on and that it’s working to fix the issue.