Hacking The Car Wash

As the Internet of Things develops, we’re going to see more and more security issues present themselves whilst more items move online. We’ve heard recently about an (unnamed) German steel mill being hacked. Next up, renowned security researcher Billy Rios (known for hacking X-ray systems and airport baggage scanning systems) has now flagged up the potential vulnerabilities presented by car washes.

The car wash isn’t necessarily something that jumps to the top of the list when considering the varied security threats that are out there in the big bad world. After all, it’s a large, stationery piece of heavy equipment that only ever gets installed in certain controlled locations (namely petrol stations). But after showing that he could guess a default password on the machine’s web interface to take over control of the system controlling the car wash from afar, Rios points out:-

“[If] a hacker shuts off a heater, it’s not so bad. But if there are moving parts, they’re totally going to hurt [someone] and do damage…I think there should be some distinction between those sort of devices. Turning on and off the lights is cool, but if you create something that causes something to move, you can’t allow them [the manufacturers] to voluntarily opt into security.”

“…These machines are very dangerous, and typically, when you have these machines installed someplace, they are only able to be operated by qualified technicians. They could hurt someone. So when you start putting these things online, it changes the threat model dramatically”.

Sounds just like a scene at the start of a sci-fi film, doesn’t it?