Two Students Uncover Security Bug That Could Let Millions Do Their Laundry For Free (techcrunch.com) 78
Two university students discovered a security flaw in over a million internet-connected laundry machines operated by CSC ServiceWorks, allowing users to avoid payment and add unlimited funds to their accounts. The students, Alexander Sherbrooke and Iakov Taranenko from UC Santa Cruz, reported the vulnerability to the company, a major laundry service provider, in January but claim it remains unpatched. TechCrunch adds: Sherbrooke said he was sitting on the floor of his basement laundry room in the early hours one January morning with his laptop in hand, and "suddenly having an 'oh s-' moment." From his laptop, Sherbrooke ran a script of code with instructions telling the machine in front of him to start a cycle despite having $0 in his laundry account. The machine immediately woke up with a loud beep and flashed "PUSH START" on its display, indicating the machine was ready to wash a free load of laundry.
In another case, the students added an ostensible balance of several million dollars into one of their laundry accounts, which reflected in their CSC Go mobile app as though it were an entirely normal amount of money for a student to spend on laundry.
In another case, the students added an ostensible balance of several million dollars into one of their laundry accounts, which reflected in their CSC Go mobile app as though it were an entirely normal amount of money for a student to spend on laundry.
several million dollars that will you hard time in (Score:2)
several million dollars that will you hard time in san quintin
Re: (Score:1, Funny)
Re:several million dollars that will you hard time (Score:4, Insightful)
And don't forget the spelling lesson! How could we communicate without that?
Not Stealing (Score:4, Funny)
Thank you for providing some insightful commentary that stealing money is illegal.
It's not stealing, just money laundering.
Re: (Score:3)
It's only illegal for some people.
Re:several million dollars that will you hard time (Score:5, Funny)
several million dollars that will you hard time in san quintin
Where you'd undoubtedly be assigned to laundry detail. :-)
Re: (Score:2)
Several virtual million dollars only useful for doing laundry since I'd expect it to not be refundable.
Re: (Score:2)
I could sell those to other tenants pretty easily for quarters. Chicken feed amounts, mind you, but it could be done.
Re: (Score:2)
Ah yes, turning it into properly-usable currency. "Money labeling" or something like that.
Re: (Score:2)
They could go into the laundry business. Make a fortune!
Re: (Score:2)
Re: Computer Crime (Score:2)
Probably the bit where the article implied that people should use the vulnerability to do free laundry.
Re: Computer Crime (Score:3)
The implication is that they COULD.
YOU inferred that you should.
The author is only responsible for their implication, not your inference, and nowhere was the activity in question promoted.
Re: (Score:2)
I don't think they're stealing "money". Loading up credits in the laundry "account" is just stealing laundry cycles. I doubt that you can transfer these credits out as cash. THEN it would be stealing... but I'll bet the transfer is NSF...
Re: (Score:2)
Maybe not stealing money, perhaps. But still stealing. The law doesn't care if what you stole was money or not. If it has value and didn't belong to you, it's still theft, and you can still go to prison for it.
Re: Computer Crime (Score:1)
Get a grip, loser.
Re: (Score:2)
This wasn't $1.00 worth, it was "millions of dollars" worth.
And the backup charge would be some kind of unauthorized computer access, which is a federal crime, and sometimes, the feds get pretty enthusiastic about prosecuting it even for small amounts.
(The actual state charge would be some kind of fraud, I suspect. And very likely a felony regardless of the amount.)
Re: (Score:2)
No... there are not millions of dollars involved here. You've maybe got a data alteration legal violation of some sort, one that wouldn't change if it were 1 dollar or a bajillion, but until some good or service changes hands you haven't got anything worth anything. And given the rate of extraction of a couple bucks an hour they'd have to really up their soiled clothes production for it to rise above the pettiest of theft.
Re: (Score:3)
Probably not theft of it's not used.
I suspect the account has "no cash value", so the theft would be using it for free laundry.
But there's probably serious crimes WRT unauthorized access or wire fraud or some such in the loading of the money, just not theft.
the location may get an % of each wash (Score:2)
the location may get an % of each wash so loading that free money and useing it an lot does cost CSC ServiceWorks $
Re: (Score:2)
That's also why many services do have the "non-refundable" clause since if someone hacks the system to get more credits or there's a bug they can't really do much more with it than run more laundry cycles or lose it completely. Some services also have a "use before" clause after which time you lose all credits.
After all many of those systems are created by the cheapest provider that's only doing the minimum effort needed.
So if there are just a few doing this and not everyone then it's not worth fixing. But
Re: Computer Crime (Score:2)
Re: (Score:2)
(A)wash in cold cash (Score:5, Funny)
startMachineFreePlay? (Score:2)
this is not an arcade game so why code useing "free play"
just because you can........ (Score:1)
IoT (Score:5, Funny)
As always, remember that in IoT, the "S" stands for Security.
Re: (Score:2)
Security Hardened Internet of Things. SHIOT.
Re: (Score:2)
The vendor failed Security 101 (Score:5, Informative)
Oh no, university students might be incentivized to do their laundry! Whatever is the world coming to?
Yeah, obviously I'm being facetious. But the article has this gem (emphasis added): "[...] any security checks are done by the app on the userâ(TM)s device and are automatically trusted by CSCâ(TM)s servers."
I have exactly zero sympathy for the laundry vendor here. That's just plain idiotic. It's totally understandable that it hasn't been fixed in the past five months, too. That's going to require a fundamental redesign of the app and server. Probably the machine's firmware as well, since it sounds like the machine doesn't do anything to authenticate the source of the commands either.
Re: (Score:3, Insightful)
the machine interface units likely make calls with (Score:3)
the machine interface units likely make calls with no auth as well.
Some can run an script that reports all machines as being in an error mode. Set all of them to freeplay mode.
and they can make the hacker foot the bill for all (Score:2)
and they can make the hacker foot the bill for all of it.
Let's see $150-$300 tech visit fee per machine + $200-$500 in parts (new controller) also add the the cost of any other damage found on the machine.
and then add at least $50K-100K to cover the costs of updating the software and server.
Maybe they can remote update the machines but they may need have an machine tech and maybe an software / IT tech at each site to manually re pair the devices and change the machine ID's if needed.
Re: (Score:2)
Re: (Score:3)
Makes sense to me. Having the phone handle it means it can be done via an app with no internet connection, saving a whole lot of money in maintenance-related troubles. Sure, it also means that some idiot could risk jailtime to save a few bucks on laundry, but who'd be dumb enough to do that?
they remotely monitor machine health (Score:2)
they also remotely monitor machine health so the machines are on line as well it seems.
Re: (Score:2)
"Sure, it also means that some idiot could risk jailtime to save a few bucks on laundry, but who'd be dumb enough to do that?"
I see that you don't know any university students.
Re: (Score:3)
That's probably the biggest problem - how do you do coin laundry when you don't have an internet connection? In the past, you did it with real coins, and those were a pain to deal with (given it costs like $5 now, that's
Re: (Score:1)
I really need to know how you think a phone without an internet connection is then "automatically trusted by CSC's servers."
Re: (Score:2)
Easy, if it is trusted it doesn't need to be checked. So, naively giving them the benefit of the doubt, if the internet is down then the trusted phone app can make the washing machines go, for great profits and convenience and reliability and customer satisfaction. And then later tell the server what it did. It makes no sense to risk losing a customer and his friends over not wanting to spend $0.50 of water and electric, the 2,000% markup will quickly make up for it.
Less naively, they're probably idiots.
Re: (Score:1)
Easy, if it is trusted it doesn't need to be checked. So, naively giving them the benefit of the doubt, if the internet is down then the trusted phone app can make the washing machines go
Again: How is the phone app connecting to the washing machine IF THE INTERNET IS DOWN.
It works like this:
Phone -> Internet -> Server -> Washing Machine
Internet access is a requirement.
Re: (Score:3)
Re: (Score:2)
This. Would upvote if I had mod points.
And it's not just thousands (or 100s of thousands) of attackers, it's all those attackers running bots to simultaneously try thousands of keys in thousands of locks (to continue your analogy).
Re:The vendor failed Security 101 (Score:4, Interesting)
The worst I have seen was a client-server setup where the server offered an authentication call but because of a design flaw, all it did is tell the client if the authentication was good. Either way, or even if authentication was skipped entirely, it would execute any commands sent to it. It was on the client to actually check for authentication and then refuse to send further commands if it failed.
Not naming names due to NDA.
Re: The vendor failed Security 101 (Score:1)
There's another widely-known free laundry hack (Score:5, Funny)
It's been exploited for years by college students all over the world - it's called "visiting your parents".
Re: (Score:1)
worked for me (Score:3)
That one worked well for me, and it wasn't even my idea! My mother *suggested* that I leave my laundry when I came home for dinner that first weekend . . .
Of course, when I went south for law school, I was on my own, and my girlfriend (now wife) would actually break in to my apartment if I didn't hand the laundry over--apparently she was horrified by my wrinkles!
and now I reminisce about those lazy days of college, hanging around the laundry room . . . wait, what??? just what is *wrong* with these kids?
haw
Re: (Score:2)
... and my girlfriend (now wife) would actually break in to my apartment if I didn't hand the laundry over--apparently she was horrified by my wrinkles!
Given she's still married to you, and you're now retired... she must've finally gotten used to your wrinkles.
Just make it free (Score:1)
Long ago my University used these paper-like tickets for laundry. It was quite easy to pull them out and get free laundry, but if you didn't do it right, you'd jam the machine, disabling it. They finally got rid of those systems and just made laundry free, fixed the problem, no more laundry issues after. Just take it from our tuition.
Re: (Score:3)
Our dorm used plastic tokens that would be dispensed from some central site. (I assume the idea was to discourage people from prying open coin boxes on washers and dryers.)
However, when we arrived we learned from the upperclassmen that you could make a wax mold from a real token, then manufacture all the free tokens you want from Elmer's Glue-All. Nobody I knew ever paid to do laundry, but the University never bothered to change out the system while I was there.
Sometimes the glue tokens would jam the mechan
Re: (Score:2)
But that takes time and Glue-All, right? Or was there some way of obtaining Glue-All for free?
Re: (Score:2)
But that takes time and Glue-All, right? Or was there some way of obtaining Glue-All for free?
Yes it was essentially free. Of course I brought a bottle I scrounged from home along with other school supplies, but what else would I have used Glue-All for in college classes? I'm sure that the one bottle I had went bad before I finished it.
Back then, time was essentially free. Dorm life had a prison-like economy: With room and board prepaid by parents, most people just had some pin money for beer. Everything was evaluated in terms of beer equivalents. Genuine tokens for a load of laundry cost at least 3
North Korean uniforms (Score:2)
And the company (Score:2)
...said "thank you for potentially saving our entire business" by giving them $20 credit in free washes.
That's $20 COMBINED, obviously. $10 each.
Re: (Score:2)
Believe me, the value of that reward doesn't even come close to being worth it. Why weren't they offered a bug bounty?
I think maybe CSC noticed (Score:2)
Idiots! No more homework help 4U! (Score:1)
Dammit, I told them to STFU about it; I need free laundry, with the expensive tuition and all. Next ya know, they'll spill the free Top Ramen and condom dispenser bugs. Those are show-stoppers for me.
Bah! In my day... (Score:1)
Re: Bah! In my day... (Score:1)
I didn't have that idea, but for me it was a coin on a long strip of sticky tape. Trigger the mechanism, and get your coin back. Repeat as needed.
Re: (Score:2)
...we'd buy cheap used records and cut them into quarter-sized blanks and feed the laundry machines with those. Kids these days with their fancy technology.
When I'd park on campus, you could pay an attendant cash. I had a $100 bill from my saving that I'd hand over, and they'd say "I can't cash that" and open the gate.
Re: (Score:2)
Every person these guys know... (Score:2)
Progress... (Score:4, Funny)
Progress...instead of laundering money with crypto-currency now doing laundry with a system bug. A total washout...
JoshK.
This is far darker vulnerability than people.. (Score:2)
..realize.
A typical commercial front load washer can use ~ 1,400 watts and a 4750 watts for the dryer on the low end.
Assuming all 1,000,000 washers and dryers, around the world, there's the potential to create an instant grid load of 6 gigawatts during difficult situations like in the middle of summer as just as peak load occurs in the United States at 4pm-9pm. High enough load in specific regions of California, Texas, or similar, and sudden brownouts could occur, significantly damaging not only motor base
IoT has failed. (Score:2)
We humans have been laundering our clothes for THOUSANDS of years. Jesus did it. Look it up. It's in the bible. Also Abraham did it, and that's like in the first book of the bible. (Stop now if you're a maga and the only bible you have starts with "Trump said this...")
During EXACTLY NONE of those times was it required that the facility providing that laundry (think "river" and "clay pot") have Internet access.
This has been preached but the masses don't listen. If it doesn't need to be on the Internet
Fake news (Score:2)
Students at UC Santa Cruz don't wear clean clothes.
And they're now serving 400 years in prison (Score:2)
Where are the details? (Score:1)
Re: (Score:2)
This company is so dumb (Score:3)
In other news (Score:2)