Also Hackable: Drive-Through Car Washes

PLAR writes It turns out LaserWash automatic car washes can be easily hacked via the Internet to get a free wash or to manipulate the machines that clean the cars, a security researcher has found. Billy Rios says these car washes have web interfaces with weak/default passwords which, if obtained, could allow an attacker to telnet in and use an HTTP GET request to control the machines. Rios adds that this probably isn't the only car wash brand that's vulnerable.

Embedded systems devs

[Anonymous Coward]

Embedded system developers suck at all things internet, especially security.

Re:

[nitehawk214]

The thing needs to connect to payment services, report usage statistics, request consumables, report self-test results...

But feel free to rage against "the cloud", while it continues to be that thing that lets devices talk to other devices to get work done.

Re:

[sjames]

We have had functional automated car washes much longer than we have had "the cloud". It is apparently possible.

My guess was that the devs were informed that the existing product WOULD be in the cloud by next week OR ELSE, no doubt because a suit somewhere read an article. And so it is.

Re:Marketing dream chasers

[Applehu Akbar]

My very first car wash was cloud-based. Sometimes I miscalculated and it got snowed on instead.

Re:

[kwbauer]

Oh yes, the old "you failed because you didn't account for your product to be used in ways it was never intended to be used" reasoning. Many a good company has been bankrupted because juries have been convinced that your statement is actually logical.

Re:Embedded systems devs

[Zero__Kelvin]

Do the world a favour and stay out of the Computer Security Business. 80% of CompSec is anticipating how people might use things in ways they were never intended to be used.

Re:

[BronsCon]

80% of CompSec is anticipating how people might use things in ways they were never intended to be used.

People, in that context, means "attackers". That does not mean that tie is spent figuring out what unintended uses end users might come up with. Use as prescribed; if inflammation persists, contact your physician.

Re:

[BronsCon]

Says the AC contributing nothing to the conversation but personal insults. Bravo.

Re:

[BronsCon]

I'm not sure your credentials qualify you to make internet diagnoses of fictional diseases. I do enjoy a good troll, though, so keep at it; if it bothered me, I wouldn't reply. ;)

Re:

[wolrahnaes]

This is an approach to security that I forget the specific name I've seen it referred to with but basically it's analogized to certain tasty snacks. Hard candy shell, soft creamy filling.

If someone penetrates the defenses, if someone inadvertently or intentionally opens it up wider than originally intended, or if the attacker is an insider you're hosed.

If it can be connected to a network, you can almost guarantee that at some point someone is going to try to connect it to the internet somehow, and at that

Re:

[pete6677]

They haven't yet gotten used to a world where security by obscurity just doesn't work anymore.

Re:

[Jack Griffin]

I know security types like to trot out the old security through obscurity line all the time, but the simple fact is that most of the time obscurity is good enough.

Re:

[pete6677]

It's good enough, until someone discovers the obscurity and then its not so obscure anymore (or secure).

Re:

[Zero__Kelvin]

.... and Anonymous Cowards are idiots who believe absurd generalizations. I've got news for you. The entire software developing world is made up mostly of people who don't understand security and such at all things internet. There are Embedded Systems Developers that know about, understand, and care about security and there are many more others who don't. Now, substitute any field with the exception of software security and its vein, and the statement still holds true.

Them vs Us

[Mr D from 63]

The North Korean hackers will love this. Since they can't wash their own cars, they can wash ours.

Or just damage cars

[Anonymous Coward]

Seems like causing damage to cars or injuring people would be a bigger concern than free car washes. It is a room full of large automated machines after all.

Re: Or just damage cars

[jd2112]

Yes but free car washes could motivate the owners to change the damn default passwords! Not like something trivial like stealing the credit card numbers of everyone who gets a car wash.

What's a car wash?

[mspohr]

Car?
Wash?

Re:

[iggymanz]

Cars and washing are nothing a slashdot neckbeard living in mom's basement need worry about

Re:

[mspohr]

Thanks... I was worried that there was something that I was missing.

Some things do not belong on the Internet

[davidwr]

Some things just should never be put "on the Internet."

If you must have remote access, either use a dedicated physical connection (with appropriate anti-tampering/tamper-mitigation measures of course) or tunnel them through a rock-solid VPN, but for goodness sake don't put them "on the Internet."

Yes, companies that run industrial equipment, traffic lights, etc., I'm looking at you too.

Re:Some things do not belong on the Internet

[nitehawk214]

So, you can't stick a credit card into the thing. And when it breaks down nobody gets alerted.

Traffic lights: No ability to know when they are working or not, no way to synchronize lights across the city.

Think about it. Devices need to be connected. Security isn't hard, companies need to start giving a shit about it.

Re:

[msauve]

In exactly what way does requiring all information to go through a VPN (a solution offered by the GP) prevent any of those things?

Re:

[thegarbz]

In exactly what way does requiring all information to go through a VPN (a solution offered by the GP) prevent any of those things?

Processing overhead, installation overhead, and maintenance overhead.

Look at the summary. In most cases people couldn't be bothered setting a password, what makes you think they would setup a VPN given the option? Quite often the interfaces to these devices and some shitty tiny little 8-bit micro bolted onto the back of some ethernet or cellular chip. Coding a VPN is a bit more difficult than spitting single unencrypted numbers to a pre-programmed IP address.

And how much money is preventing someone from get

Re:

[msauve]

That's a lengthy strawman argument. But you still fail, the cost of a router which can do an IPSec VPN is under $40.

Re:

[thegarbz]

Are you suggesting that the vendor will double the amount of capital investment in their electronics, implement a 3rd party system for which they have little control, and retrain all their techs to setup VPNs (I work with techs for equipment like this, they are basically out of their depth if they aren't given a PC with IP address set to the correct subnet)?

Or maybe they want to maintain control, guarantee hardware support and a stable system on which to network their platform in which case you can multiply

Re:

[turp182]

A security camera (powered with DVR but not web connected of course) at the entry is all that is needed.

The car wash logs should expose when it was tampered with and who via license plates (excepting a deep break that can override/clear logs, a lot of work for a car wash...).

I think the police would enjoy tracking down people hacking car washes, it would give them positive/fun visibility (local news would eat this up) and probably involve felony level charges for hacking (rather than just stealing a $10 car

Re:

[Zero__Kelvin]

I don't think anyone is arguing that the best approach is to first set it up like an idiot and then turn around and do it the right way. This is a discussion about what the right way to do it is, not what turkey's who did it wrong should do now that security has flown the coop so to speak. In truth though, from reading the article all I see is - if an attacker had a password or could somehow get access to the web interface. That isn't much different than claiming banks are insecure because if someone got

Re:

[msauve]

"Are you suggesting that the vendor will double the amount of capital investment in their electronics..."

No, I wouldn't think of blaming the vendor, when the issue is obviously that you have neither the knowledge nor skillset needed to understand how to do VPN deployments.

Re:

[Zero__Kelvin]

The GP doesn't get that you use a VPN by, wait for it ... being on the internet!. His solution to not having it on the internet is literally don't connect it to the Internet! That's stupid. You can use a VPN! I must have missed the detail, but how are the VPN packets going to reach the system? Oh, right. Because it's connected to the internet! That's what I'll do. I won't connect to the internet, but I'll use a VPN that uses the .. oh shit.

Re:

[BronsCon]

You don't connect the system to the internet, you connect it to a LAN, with one of the clients on that LAN being a VPN endpoint with its own (not via the LAN) internet connection. Nothing on that LAN is on the internet, nothing on the LAN can call out to the internet, and nothing on the LAN can be accessed via the internet, save for the VPN box, which will have a much, much smaller attack surface than . And none of those devices are on the internet; the VPN simply gives you an entrypoint into the LAN via th

Re:

[Zero__Kelvin]

Holy shit. .... you are an idiot.

Re:

[BronsCon]

Why not point out how I'm wrong, then? You know, be constructive?

Wait, no, what I actually meant to post was

and you're an asshole.

I think you miss my point

[davidwr]

Connectivity != Internet.

Take traffic lights for example:

Long before the Internet was more than just a government/university/defense-contractor environment, traffic lights had 2-way communication.

Were they hackable? Yes, to someone with physical access to the communications wires and by the 70s or 80s, maybe to someone who had access to the telephone-company infrastructure. That meant someone in the same metro area as the traffic lights themselves. But they probably were not hackable by someone sitting i

Re:

[ls671]

I didn't know caves had basements, I am still trying to imagine it.

Re:

[sexconker]

Security isn't hard

LOOOOOOOOOOOOOOOOOOOOL

It's time to play "Slashdot Feud"!

We asked 100 Slashdotters who they thought OP was after reading his post.

Survey says:

1) An Ignorant Piece of Shit Talking Out of His Ass - 57
2) Your Typical Troll - 36
3) Frosty Piss - 6
4) APK - 1

Re:

[davidwr]

Security isn't hard

LOOOOOOOOOOOOOOOOOOOOL

When Nighthawk214 wrote [slashdot.org] that security wasn't hard, he wasn't wrong, but he was incomplete.

Security by itself isn't necessarily hard. If I want to secure data that I won't need to use without 1 business day's notice, I can just take two disks, each with a copy of the data, to my bank and put it in the safe-deposit box. Not hard at all. With a little extra effort I can encrypt each with a one-time pad and put the 4 disks in different banks.

Security with online or near-online usability requirements by a lar

Re:

[nitehawk214]

That is probably the most reasonable explanation. None of the hardware was upgraded since the 90s when a weak-ass password and no way to perform updates was enough to keep people out.

Re:

[mjwx]

So, you can't stick a credit card into the thing. And when it breaks down nobody gets alerted.

Erm, you call the number on the machine or go talk to the petrol station attendant. Or you could just use cash like normal people.

Traffic lights: No ability to know when they are working or not, no way to synchronize lights across the city.

Traffic management systems are very different. These are very complex systems monitored by professionals and attended to 24/7. What the GP is saying is you dont need to connect every bloody toaster and waffle iron to the internets. One of the big reasons is they'll never be properly secured from attack.

Re:

[Zero__Kelvin]

Perhaps you are aware that there are banks on the internet? Every time some system that was never designed to be secure in the first place gets cracked someone always pipes up with this absurd claim, that the problem is that they connected it to the internet in the first place. That isn't the problem, and characterizing that way is absurd. They could have opted to do as you say, and that is certainly a very valid approach. It is, however, not - as you suggest - the only/right choice. They could have op

What? BMW through the brush wash?

[140Mandak262Jamuna]

The article has a picture of a BMW going through a brush wash. It would void the warranty. BMW says only BMW certified brushless car washes are compatible. Using unauthorized car washes will void the warranty.

Re:

[JaredOfEuropa]

[anyoldlameexcuse] will void the warranty if they can get away with it.

Re:

[pete6677]

I wouldn't be surprised if you aren't joking :) BMW has their own brand of expensive washer fluid, for God's sake.

Re:

[mpoulton]

http://en.wikipedia.org/wiki/M... [wikipedia.org] Yes, IIAL (but not your lawyer), and no, going to the wrong car wash doesn't void your warranty. That's silly.

Re:

[wiredlogic]

I would venture that the OP is regurgitating some dealer scare story from the days when BMW made cars with telescoping antennas that would get ripped off by the automated washers.

Re:

[drinkypoo]

The article has a picture of a BMW going through a brush wash. It would void the warranty. BMW says only BMW certified brushless car washes are compatible. Using unauthorized car washes will void the warranty.

Who told you that?

Re:

[140Mandak262Jamuna]

You don't know BMW. It would void a warranty if you keep their car in an unapproved or incompatible garage. Only BMW approved soda compatible soda cans are permitted in the drink holders. I would not be surprised if it has a list of approved shoes that are compatible with the damned accelerator pedals.

Re:

[sexconker]

If your dealer is that big of a douchbag

It's a car dealer. Douchebag is redundant.
It's a BMW dealer. Big douchebag is an understatement.

Re:

[wolrahnaes]

Multiple BMW owner here, what the fuck are you smoking?

The limited edition "frozen" paints offered on a few M cars in recent years have very specific care instructions, but that's the nature of the beast with a true matte paint finish on a car. They don't have the protection a nice thick layer of clearcoat offers cars with normal modern paint.

Beyond those however they're just a well done normal automotive paint job. My beater 3 series is 13 years old and rarely gets washed, but when a friend got bored and

Breaking Bad car wash

[MillionthMonkey]

What a pity this wasn't discovered sooner... Skyler White could have asked Saul Goodman to hire his Eastern European hacker again to launder Walt's meth money through that car wash using HTTP GET requests.

Online Manual

[chill]

A quick Google search for "laswerwash ip address" and the very first link is a PDF of the LaserWash Owner/Operator manual with LOTS of useful information.

Things like default IP address, default port, default passwords, command sequences, etc.

Re:

[NoKaOi]

Only thing what would make it illegal is that they have *some* security in place, it doesn't even matter how dysfunctional it is. Otherwise it would be just public service (at least by the rulebook over the other side of globe).

Why do you think that? I'm pretty sure it's still computer intrusion even if they don't know how to do anything security related. Here's a brick and mortar analogy: If somebody's front door doesn't have a lock, it's still illegal to walk in. And anyway, even if you're right, then having a password, even if it's a default password that hasn't been changed, is *some* security. Intent matters. A lot. Are you accessing their system because you're trying to do something nefarious, or because you accidental

Re:

[CronoCloud]

12345? That's a combination a stupid person would have on their luggage.

Hey...that's MY password.

Re:

[140Mandak262Jamuna]

That is the password for Earth.

Re:

[140Mandak262Jamuna]

Brain, is that you? Long time no see, Amigo. --- Pinky.

Re:

[Anonymous Coward]

Is there a setting for "boil"?
How about for "fricasee"?

What's the point in washing with lasers, if you can't overdo it?

I hope whoever did this

[Anonymous Coward]

comes out clean.

Sudo wax off

[Anonymous Coward]

Sudo wax on

At this timr of year?

[rossdee]

Who washes their car in the winter? By the time you've driven it home its dirty again.

Re:At this time of year?

[ImprovOmega]

Where you live maybe. Here we had a high of 84 and a low of 51.

Re:

[swb]

It's no different than brushing your teeth or cleaning the dishes. They all get dirty again.

The point isn't to keep it clean, but to at least wash off some of the corrosive salt spray and grime so you don't strip the clearcoat and then the paint off.

My wife never washes her car (or not enough) and it looks like shit, with finish is dull and maybe even faded a little. I wash mine 2-3 times per week, usually before I come home and its maybe half a mile home. In all but the wettest, sloppy weather it make

Re:

[sexconker]

I wash mine 2-3 times per week

Fuck you, you selfish, vain, shallow eco terrorist.

Re:

[swb]

No, fuck you.

I don't know what fantasy land you've shaped in mom's basement, but outside a tiny fraction of the US you need a car to make a living.

I figure the best and most ecological way to do this is to make the car I have last, and one of the way to make it last is to take care of it. Road salt is highly corrosive, the sand they put down turns to dust which in turn can etch the paint. Once rust starts, you can't really stop it and then you need a new car. And salt is corrosive to more than just the f

Re:

[BronsCon]

Well, of course! They can't see the amount of water and chemicals used in that process, so it must be zero!

Re:

[sexconker]

No, fuck you.

I don't know what fantasy land you've shaped in mom's basement, but outside a tiny fraction of the US you need a car to make a living.

I figure the best and most ecological way to do this is to make the car I have last, and one of the way to make it last is to take care of it. Road salt is highly corrosive, the sand they put down turns to dust which in turn can etch the paint. Once rust starts, you can't really stop it and then you need a new car. And salt is corrosive to more than just the finish, it's corrosive to the undercarriage and mechanical systems, too.

But I suppose you think it's more ecological to just make more cars.

Fuck off, shitwick.
You don't need to wash your fucking car 3 fucking times a week to prevent it from rusting out unless you live in a fucking salt mine. You're one of those aging failures who see their cars as a replacement for their underused, undersized penises.

Re:

[Nethemas the Great]

Most people making slightly below the median income level or more and whom reside in the upper mid-west. Ice melt chemicals aren't the kindest thing to a car. Unlimited wash packages exist for a reason. Now it seems they just got a bit less expensive.

Re:

[ArchieBunker]

The sun shines for maybe an hour and idiots are lined up at the car wash. It's gonna snow the next day anyhow so why bother?

Why on earth is it a GET request?

[Sowelu]

If you're controlling something, it should at least be a POST.

Re:

[SeaFox]

How else would you GET a free car wash?

It's that creepy chem teacher who owns it

[Applehu Akbar]

He hacked the machinery to make it look as though the car wash was handling ten times the number of customers that it actually was. It even printed out fake activity reports for the IRS.

Re:

[Applehu Akbar]

The IRS has to watch for two opposing kinds of fraud. It's one thing to conceal income from a business, like those legendary mobster restaurants that keep two sets of books, with the taxman only seeing the money-losing one. IOt's quite another to make a failing business look artificially profitable, using it to 'surface' cash from some shady activity. Paying tax on the fake income is a small price to pay for being able to openly get rich off a legal-looking business, rather than (as in this example) having

Re:

[neminem]

Nitpick: by the time he owned a car wash, he wasn't actually teaching chemistry anymore (too busy at his new job. (Of owning a carwash. Totally that and nothing else.))

It is pretty funny how I think of that show every time I visit a carwash or a fried chicken joint now.

Cameras

[penguinoid]

Are the cameras (to prove that the damage to the car was there before the wash) also hackable?

Control Systems Security: #1 Truth

[Shoten]

Billy Rios sums things up interestingly with this sentence:

"If [a hacker] shuts off a heater, it's not so bad. But if there are moving parts, they're totally going to hurt [someone] and do damage," says Rios, founder of Laconicly.

The trick with control systems...which is what the computers controlling this car wash are...is that logical actions result in kinetic effects. And you can't reboot physics, or restore solid objects from backup.