Two years after researchers Billi Rios and Terry McCorkle first flagged serious vulnerabilities in automatic, smart car wash systems by US manufacturer PDQ, the company is finally acknowledging the danger.
What changed since the initial discovery?
Rios, founder of Whitescope, and researcher Jonathan Butts, founder of QED Secure Solutions, have managed to finally prove that the vulnerabilities can be exploited in a live setting (in their case, a car wash facility in Washington), and that they could lead to car damage and, more importantly, injury or loss of life of customers.
Also, their talk about the issues was accepted to Black Hat USA 2017, and the company obviously realized it could not afford to ignore them any longer.
The unearthed vulnerabilities could allow attackers to access the system’s built-in web server either through the use of a rarely changed and easily guessable password, by sniffing login information as it is transmitted in unencrypted form, or by simply using an authentication bypass exploit.
Once inside, they can make the machine do all kind of nasty things: making the washing rig’s doors close when it shouldn’t , modifying the movements of the washing arm to hit the car or trap users inside it, and so on.
According to the researchers’ findings via the Shodan IOT search engine, there are some 150 vulnerable PDQ systems online that can be fiddled with. PDQ’s car wash systems are widely used in the US, but also in other countries.
In the wake of the researchers’ Black Hat presentation, ICS-CERT has published an advisory about the vulnerabilities, and PDQ has published a product security bulletin advising operators of PDQ car wash equipment to change all the default passwords (the systems’ and their router’s) and to make sure that the car was system is behind a network firewall (not accessible from the Internet).
According to ICS-CERT, the company is working on developing product fixes for the affected systems (LaserWash, LaserJet, ProTouch), namely the authentication bypass issue.