Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Security

Also Hackable: Drive-Through Car Washes 103

PLAR writes It turns out LaserWash automatic car washes can be easily hacked via the Internet to get a free wash or to manipulate the machines that clean the cars, a security researcher has found. Billy Rios says these car washes have web interfaces with weak/default passwords which, if obtained, could allow an attacker to telnet in and use an HTTP GET request to control the machines. Rios adds that this probably isn't the only car wash brand that's vulnerable.
This discussion has been archived. No new comments can be posted.

Also Hackable: Drive-Through Car Washes

Comments Filter:
  • by Anonymous Coward

    Embedded system developers suck at all things internet, especially security.

    • They haven't yet gotten used to a world where security by obscurity just doesn't work anymore.

      • I know security types like to trot out the old security through obscurity line all the time, but the simple fact is that most of the time obscurity is good enough.
        • It's good enough, until someone discovers the obscurity and then its not so obscure anymore (or secure).

    • .... and Anonymous Cowards are idiots who believe absurd generalizations. I've got news for you. The entire software developing world is made up mostly of people who don't understand security and such at all things internet. There are Embedded Systems Developers that know about, understand, and care about security and there are many more others who don't. Now, substitute any field with the exception of software security and its vein, and the statement still holds true.
  • Them vs Us (Score:1, Offtopic)

    The North Korean hackers will love this. Since they can't wash their own cars, they can wash ours.
  • by Anonymous Coward

    Seems like causing damage to cars or injuring people would be a bigger concern than free car washes. It is a room full of large automated machines after all.

    • Yes but free car washes could motivate the owners to change the damn default passwords! Not like something trivial like stealing the credit card numbers of everyone who gets a car wash.
  • by mspohr ( 589790 ) on Friday February 20, 2015 @05:47PM (#49097197)

    Car?
    Wash?

  • by davidwr ( 791652 ) on Friday February 20, 2015 @05:48PM (#49097211) Homepage Journal

    Some things just should never be put "on the Internet."

    If you must have remote access, either use a dedicated physical connection (with appropriate anti-tampering/tamper-mitigation measures of course) or tunnel them through a rock-solid VPN, but for goodness sake don't put them "on the Internet."

    Yes, companies that run industrial equipment, traffic lights, etc., I'm looking at you too.

    • by nitehawk214 ( 222219 ) on Friday February 20, 2015 @06:44PM (#49097575)

      So, you can't stick a credit card into the thing. And when it breaks down nobody gets alerted.

      Traffic lights: No ability to know when they are working or not, no way to synchronize lights across the city.

      Think about it. Devices need to be connected. Security isn't hard, companies need to start giving a shit about it.

      • by msauve ( 701917 )
        In exactly what way does requiring all information to go through a VPN (a solution offered by the GP) prevent any of those things?
        • In exactly what way does requiring all information to go through a VPN (a solution offered by the GP) prevent any of those things?

          Processing overhead, installation overhead, and maintenance overhead.

          Look at the summary. In most cases people couldn't be bothered setting a password, what makes you think they would setup a VPN given the option? Quite often the interfaces to these devices and some shitty tiny little 8-bit micro bolted onto the back of some ethernet or cellular chip. Coding a VPN is a bit more difficult than spitting single unencrypted numbers to a pre-programmed IP address.

          And how much money is preventing someone from get

          • by msauve ( 701917 )
            That's a lengthy strawman argument. But you still fail, the cost of a router which can do an IPSec VPN is under $40.
            • Are you suggesting that the vendor will double the amount of capital investment in their electronics, implement a 3rd party system for which they have little control, and retrain all their techs to setup VPNs (I work with techs for equipment like this, they are basically out of their depth if they aren't given a PC with IP address set to the correct subnet)?

              Or maybe they want to maintain control, guarantee hardware support and a stable system on which to network their platform in which case you can multiply

              • A security camera (powered with DVR but not web connected of course) at the entry is all that is needed.

                The car wash logs should expose when it was tampered with and who via license plates (excepting a deep break that can override/clear logs, a lot of work for a car wash...).

                I think the police would enjoy tracking down people hacking car washes, it would give them positive/fun visibility (local news would eat this up) and probably involve felony level charges for hacking (rather than just stealing a $10 car

              • I don't think anyone is arguing that the best approach is to first set it up like an idiot and then turn around and do it the right way. This is a discussion about what the right way to do it is, not what turkey's who did it wrong should do now that security has flown the coop so to speak. In truth though, from reading the article all I see is - if an attacker had a password or could somehow get access to the web interface. That isn't much different than claiming banks are insecure because if someone got
              • by msauve ( 701917 )
                "Are you suggesting that the vendor will double the amount of capital investment in their electronics..."

                No, I wouldn't think of blaming the vendor, when the issue is obviously that you have neither the knowledge nor skillset needed to understand how to do VPN deployments.
        • The GP doesn't get that you use a VPN by, wait for it ... being on the internet!. His solution to not having it on the internet is literally don't connect it to the Internet! That's stupid. You can use a VPN! I must have missed the detail, but how are the VPN packets going to reach the system? Oh, right. Because it's connected to the internet! That's what I'll do. I won't connect to the internet, but I'll use a VPN that uses the .. oh shit.
          • You don't connect the system to the internet, you connect it to a LAN, with one of the clients on that LAN being a VPN endpoint with its own (not via the LAN) internet connection. Nothing on that LAN is on the internet, nothing on the LAN can call out to the internet, and nothing on the LAN can be accessed via the internet, save for the VPN box, which will have a much, much smaller attack surface than . And none of those devices are on the internet; the VPN simply gives you an entrypoint into the LAN via th
      • Connectivity != Internet.

        Take traffic lights for example:

        Long before the Internet was more than just a government/university/defense-contractor environment, traffic lights had 2-way communication.

        Were they hackable? Yes, to someone with physical access to the communications wires and by the 70s or 80s, maybe to someone who had access to the telephone-company infrastructure. That meant someone in the same metro area as the traffic lights themselves. But they probably were not hackable by someone sitting i

      • Security isn't hard

        LOOOOOOOOOOOOOOOOOOOOL

        It's time to play "Slashdot Feud"!

        We asked 100 Slashdotters who they thought OP was after reading his post.

        Survey says:

        1) An Ignorant Piece of Shit Talking Out of His Ass - 57
        2) Your Typical Troll - 36
        3) Frosty Piss - 6
        4) APK - 1

        • by davidwr ( 791652 )

          Security isn't hard

          LOOOOOOOOOOOOOOOOOOOOL

          When Nighthawk214 wrote [slashdot.org] that security wasn't hard, he wasn't wrong, but he was incomplete.

          Security by itself isn't necessarily hard. If I want to secure data that I won't need to use without 1 business day's notice, I can just take two disks, each with a copy of the data, to my bank and put it in the safe-deposit box. Not hard at all. With a little extra effort I can encrypt each with a one-time pad and put the 4 disks in different banks.

          Security with online or near-online usability requirements by a lar

      • by mjwx ( 966435 )

        So, you can't stick a credit card into the thing. And when it breaks down nobody gets alerted.

        Erm, you call the number on the machine or go talk to the petrol station attendant. Or you could just use cash like normal people.

        Traffic lights: No ability to know when they are working or not, no way to synchronize lights across the city.

        Traffic management systems are very different. These are very complex systems monitored by professionals and attended to 24/7. What the GP is saying is you dont need to connect every bloody toaster and waffle iron to the internets. One of the big reasons is they'll never be properly secured from attack.

    • Perhaps you are aware that there are banks on the internet? Every time some system that was never designed to be secure in the first place gets cracked someone always pipes up with this absurd claim, that the problem is that they connected it to the internet in the first place. That isn't the problem, and characterizing that way is absurd. They could have opted to do as you say, and that is certainly a very valid approach. It is, however, not - as you suggest - the only/right choice. They could have op
  • The article has a picture of a BMW going through a brush wash. It would void the warranty. BMW says only BMW certified brushless car washes are compatible. Using unauthorized car washes will void the warranty.
    • Re: (Score:3, Insightful)

      [anyoldlameexcuse] will void the warranty if they can get away with it.
    • I wouldn't be surprised if you aren't joking :) BMW has their own brand of expensive washer fluid, for God's sake.

    • http://en.wikipedia.org/wiki/M... [wikipedia.org] Yes, IIAL (but not your lawyer), and no, going to the wrong car wash doesn't void your warranty. That's silly.
      • I would venture that the OP is regurgitating some dealer scare story from the days when BMW made cars with telescoping antennas that would get ripped off by the automated washers.

    • The article has a picture of a BMW going through a brush wash. It would void the warranty. BMW says only BMW certified brushless car washes are compatible. Using unauthorized car washes will void the warranty.

      Who told you that?

      • You don't know BMW. It would void a warranty if you keep their car in an unapproved or incompatible garage. Only BMW approved soda compatible soda cans are permitted in the drink holders. I would not be surprised if it has a list of approved shoes that are compatible with the damned accelerator pedals.
        • Multiple BMW owner here, what the fuck are you smoking?

          The limited edition "frozen" paints offered on a few M cars in recent years have very specific care instructions, but that's the nature of the beast with a true matte paint finish on a car. They don't have the protection a nice thick layer of clearcoat offers cars with normal modern paint.

          Beyond those however they're just a well done normal automotive paint job. My beater 3 series is 13 years old and rarely gets washed, but when a friend got bored and

  • by MillionthMonkey ( 240664 ) on Friday February 20, 2015 @06:03PM (#49097301)
    What a pity this wasn't discovered sooner... Skyler White could have asked Saul Goodman to hire his Eastern European hacker again to launder Walt's meth money through that car wash using HTTP GET requests.
  • Online Manual (Score:5, Informative)

    by chill ( 34294 ) on Friday February 20, 2015 @06:07PM (#49097327) Journal

    A quick Google search for "laswerwash ip address" and the very first link is a PDF of the LaserWash Owner/Operator manual with LOTS of useful information.

    Things like default IP address, default port, default passwords, command sequences, etc.

    • 12345? That's a combination a stupid person would have on their luggage.

      Hey...that's MY password.

    • by Anonymous Coward

      Is there a setting for "boil"?
      How about for "fricasee"?

      What's the point in washing with lasers, if you can't overdo it?

  • by Anonymous Coward on Friday February 20, 2015 @06:12PM (#49097361)
    comes out clean.
  • by Anonymous Coward on Friday February 20, 2015 @06:13PM (#49097371)

    Sudo wax on

  • Who washes their car in the winter? By the time you've driven it home its dirty again.

    • Where you live maybe. Here we had a high of 84 and a low of 51.
    • by swb ( 14022 )

      It's no different than brushing your teeth or cleaning the dishes. They all get dirty again.

      The point isn't to keep it clean, but to at least wash off some of the corrosive salt spray and grime so you don't strip the clearcoat and then the paint off.

      My wife never washes her car (or not enough) and it looks like shit, with finish is dull and maybe even faded a little. I wash mine 2-3 times per week, usually before I come home and its maybe half a mile home. In all but the wettest, sloppy weather it make

      • I wash mine 2-3 times per week

        Fuck you, you selfish, vain, shallow eco terrorist.

        • by swb ( 14022 )

          No, fuck you.

          I don't know what fantasy land you've shaped in mom's basement, but outside a tiny fraction of the US you need a car to make a living.

          I figure the best and most ecological way to do this is to make the car I have last, and one of the way to make it last is to take care of it. Road salt is highly corrosive, the sand they put down turns to dust which in turn can etch the paint. Once rust starts, you can't really stop it and then you need a new car. And salt is corrosive to more than just the f

          • Well, of course! They can't see the amount of water and chemicals used in that process, so it must be zero!
          • No, fuck you.

            I don't know what fantasy land you've shaped in mom's basement, but outside a tiny fraction of the US you need a car to make a living.

            I figure the best and most ecological way to do this is to make the car I have last, and one of the way to make it last is to take care of it. Road salt is highly corrosive, the sand they put down turns to dust which in turn can etch the paint. Once rust starts, you can't really stop it and then you need a new car. And salt is corrosive to more than just the finish, it's corrosive to the undercarriage and mechanical systems, too.

            But I suppose you think it's more ecological to just make more cars.

            Fuck off, shitwick.
            You don't need to wash your fucking car 3 fucking times a week to prevent it from rusting out unless you live in a fucking salt mine. You're one of those aging failures who see their cars as a replacement for their underused, undersized penises.

    • Most people making slightly below the median income level or more and whom reside in the upper mid-west. Ice melt chemicals aren't the kindest thing to a car. Unlimited wash packages exist for a reason. Now it seems they just got a bit less expensive.
    • The sun shines for maybe an hour and idiots are lined up at the car wash. It's gonna snow the next day anyhow so why bother?

  • If you're controlling something, it should at least be a POST.

  • He hacked the machinery to make it look as though the car wash was handling ten times the number of customers that it actually was. It even printed out fake activity reports for the IRS.

    • by neminem ( 561346 )

      Nitpick: by the time he owned a car wash, he wasn't actually teaching chemistry anymore (too busy at his new job. (Of owning a carwash. Totally that and nothing else.))

      It is pretty funny how I think of that show every time I visit a carwash or a fried chicken joint now.

  • Are the cameras (to prove that the damage to the car was there before the wash) also hackable?

  • Billy Rios sums things up interestingly with this sentence:

    "If [a hacker] shuts off a heater, it's not so bad. But if there are moving parts, they're totally going to hurt [someone] and do damage," says Rios, founder of Laconicly.

    The trick with control systems...which is what the computers controlling this car wash are...is that logical actions result in kinetic effects. And you can't reboot physics, or restore solid objects from backup.

It is not best to swap horses while crossing the river. -- Abraham Lincoln

Working...