Hacking a car wash sounds like an unlikely cyber attack phenomenon where some may think it's just utterly ridiculous to happen. But as gadgets, devices, and machinery continue to become smart and autonomous, the risk of virtual system manipulation becomes increasingly worrying for security researchers. An Internet-based car wash facility has been recently proven to be hackable and could potentially be life-threatening for the users.
[Image Source: PDQ Inc.]
How a car wash could turn into an aggressive machine
Billy Rios, a security researcher and founder of WhiteScope LLC, conducted a proof-of-concept research to exhibit how cyber attackers can potentially cause havoc to vehicles and passengers as they innocently opt for an Internet-connected car wash. On a recent security conference held in Las Vegas, known as Black Hat, Rios presented his findings where he highlighted the importance of changing a default password to protect yourself from potential car wash cyber attacks. Inspired by a story he heard about a vehicle being attacked by a mechanical arm and drench its passengers with water, Rios and his team of researchers used the PDQ LaserWasher system as a case study subject.
The researcher pointed out that smart or automated car wash facilities can be categorized as industrial control systems (ICS), which can be easily hacked and exploited as desired. As Rios and his team managed to penetrate inside the car wash's cyber system, they found a number of features that can be remotely controlled such as taking over the functions of bay doors, removing safety signals, and freely spraying water. The proof-of-concept video obtained by the research team didn't get the permission of PDQ Inc. to be released. It was relatively easy for the research team to penetrate through the interface as the system was only protected by a weak default password.
This system manipulation could potentially be a life-threatening attack as the facility's robotic arms can be used to repeatedly pound on the vehicle and disperse surges of water on its passengers. Furthermore, hackers could easily humiliate the car wash's users by emailing out details of the accident or directly post it to Facebook. These emailing and social media features are available for the facility's owners and operators to track the car wash system's usage.
[Image Source: PDQ Inc.]
With good intentions, Rios presented his team's findings to PDQ and highlighted the system vulnerabilities they discovered two years ago in 2015. However, the car wash manufacturer chose to not do anything about it and no patch has been provided as of Black Hat 2017. Just recently, PDQ has acknowledged their system's vulnerabilities and asserted that they are developing ways to fix the cyber flaws.
Rios' research evaluated that everyone must be quick to change their Internet-connected interface's default passwords and should be cautious before hooking up a personal device to the Internet.
Sources: Security Week, Kaspersky Lab