Don’t go into that smart car wash, you might get trapped inside

Smart car wash systems may not yet be a thing, but they’ve been around for a while. Using nothing but water jets, wax and powerful fans, they can clean your vehicle without physically touching it. However, they can also pose a threat to your life, as demonstrated by two researchers speaking at Black Hat, in Vegas.

Presenting their findings at the 2017 edition of the computer security conference hosted annually in Las Vegas, Nevada, researchers Billy Rios and Jonathan Butts demonstrated what they believe to be “the first exploit of a connected device that causes the device to physically attack someone.”

They showed how internet-connected PDQ car washes can be compromised from afar, allowing an attacker to close the bay doors, trap the car along with its owner inside, and carry out subsequent actions with malicious intent.

The hacker can run a script to cause the trapped person actual physical harm, such as control the water-spewing robotic arm to keep the occupant from exiting the vehicle. In one application, the robotic arm can even be used to hit the vehicle, in what calls to mind a scene from the famous 2001: A Space Odyssey.

Rios and Butts filmed the proof-of-concept with a mobile phone. However, the car wash owners – who nonetheless willingly permitted the hack to be conducted for research purposes in one of their establishments – would not allow the video to be run at Black Hat 2017.

A brushless system, PDQ car washes are automatically operated through Windows Compact Edition (or Windows Embedded Compact), a special version of Windows created by Microsoft more than two decades ago. Microsoft licensed the software to original equipment manufacturers (OEMs) to modify and create their own experience based on what they want to control. In the case of PDQ car was systems, the software is used to control a robotic arm, water sprays, hot air vents and the bay doors.

Microsoft no longer supports Windows CE with updates. Moreover, PDQ systems require a simple username & password combo to be accessed online. If left unchanged, the default password is easily guessed, according to the researchers.

“We believe this to be the first exploit of a connected device that causes the device to physically attack someone,” Rios said in an interview with Motherboard.

“If you’re relying purely on software safety, it’s not going to work if there’s an exploit in play,” the researcher added. “The only thing that’s going to work [in this scenario] is hardware safety mechanisms.”

The two researchers have been exposing critical security flaws in IoT systems for several years now. One such vulnerability involved hospital drug pumps, which could be exploited to administer an overdose to a patient. The duo also uncovered a flaw in pacemakers that potentially permitted ransomware attacks to be carried out, as well as vulnerabilities in airport x-ray machines (causing them to fail to detect weapons), and in building appliances like alarm systems, electronic door locks, lights, elevators, even video surveillance cameras.

Security experts agree that IoT vendors have a moral obligation to refrain from rushing devices to market solely to beat competition, and instead ensure their products are tested for security issues before leaving the factory. Smart devices also need to be fitted with a way to receive automatic firmware updates if manufacturers are to ensure their safety in the wake of a newly discovered flaw.

Add Comment

Your email address will not be published. Required fields are marked *