Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Businesses Security

Two Students Uncover Security Bug That Could Let Millions Do Their Laundry For Free (techcrunch.com) 78

Two university students discovered a security flaw in over a million internet-connected laundry machines operated by CSC ServiceWorks, allowing users to avoid payment and add unlimited funds to their accounts. The students, Alexander Sherbrooke and Iakov Taranenko from UC Santa Cruz, reported the vulnerability to the company, a major laundry service provider, in January but claim it remains unpatched. TechCrunch adds: Sherbrooke said he was sitting on the floor of his basement laundry room in the early hours one January morning with his laptop in hand, and "suddenly having an 'oh s-' moment." From his laptop, Sherbrooke ran a script of code with instructions telling the machine in front of him to start a cycle despite having $0 in his laundry account. The machine immediately woke up with a loud beep and flashed "PUSH START" on its display, indicating the machine was ready to wash a free load of laundry.

In another case, the students added an ostensible balance of several million dollars into one of their laundry accounts, which reflected in their CSC Go mobile app as though it were an entirely normal amount of money for a student to spend on laundry.

This discussion has been archived. No new comments can be posted.

Two Students Uncover Security Bug That Could Let Millions Do Their Laundry For Free

Comments Filter:
  • several million dollars that will you hard time in san quintin

  • by kackle ( 910159 ) on Friday May 17, 2024 @01:50PM (#64479755)
    Now THAT'S money laundering.
  • this is not an arcade game so why code useing "free play"

  • While I love the havoc implicit in the idea of a beowulf horde of washing machines, [youtu.be] it's a stupid idea from retarded asshats.
  • IoT (Score:5, Funny)

    by ptaff ( 165113 ) on Friday May 17, 2024 @01:55PM (#64479771) Homepage

    As always, remember that in IoT, the "S" stands for Security.

    • Security Hardened Internet of Things. SHIOT.

    • In any case students have been exploiting a different security hole to get their laundry done for free for decades. What you do is you haul your laundry to your parents' place and dump it there, and when you come back it's washed itself. Not sure how the security exploit works, some sort of biological thing I think.
  • by Chelloveck ( 14643 ) on Friday May 17, 2024 @02:00PM (#64479781)

    Oh no, university students might be incentivized to do their laundry! Whatever is the world coming to?

    Yeah, obviously I'm being facetious. But the article has this gem (emphasis added): "[...] any security checks are done by the app on the userâ(TM)s device and are automatically trusted by CSCâ(TM)s servers."

    I have exactly zero sympathy for the laundry vendor here. That's just plain idiotic. It's totally understandable that it hasn't been fixed in the past five months, too. That's going to require a fundamental redesign of the app and server. Probably the machine's firmware as well, since it sounds like the machine doesn't do anything to authenticate the source of the commands either.

    • Re: (Score:3, Insightful)

      by Chelloveck ( 14643 )
      Apologies for not catching the Unicode in the copy-paste above. No, wait, I take it back. Slashdot, we're a quarter of the way through the fucking 21st century. You shouldn't still puke on Unicode!
    • the machine interface units likely make calls with no auth as well.

      Some can run an script that reports all machines as being in an error mode. Set all of them to freeplay mode.

    • and they can make the hacker foot the bill for all of it.

      Let's see $150-$300 tech visit fee per machine + $200-$500 in parts (new controller) also add the the cost of any other damage found on the machine.

      and then add at least $50K-100K to cover the costs of updating the software and server.

      Maybe they can remote update the machines but they may need have an machine tech and maybe an software / IT tech at each site to manually re pair the devices and change the machine ID's if needed.

      • Nah, they can pay for it with all the remaining change on your account they'll never refund because it's too small or do another load (lock-in). It's been a scam for a while at any place that uses loadable cards. This makes it difficult to to 1 load only. I experienced this recently (in years) in my local habitation. You must buy the card and then fill it with an even amount that can never be leveled-off because of policies, nothing illegal about it, just stealing that you agreed to. Like when business runn
    • Makes sense to me. Having the phone handle it means it can be done via an app with no internet connection, saving a whole lot of money in maintenance-related troubles. Sure, it also means that some idiot could risk jailtime to save a few bucks on laundry, but who'd be dumb enough to do that?

      • they also remotely monitor machine health so the machines are on line as well it seems.

      • "Sure, it also means that some idiot could risk jailtime to save a few bucks on laundry, but who'd be dumb enough to do that?"

        I see that you don't know any university students.

         

      • by tlhIngan ( 30335 )

        Makes sense to me. Having the phone handle it means it can be done via an app with no internet connection, saving a whole lot of money in maintenance-related troubles. Sure, it also means that some idiot could risk jailtime to save a few bucks on laundry, but who'd be dumb enough to do that?

        That's probably the biggest problem - how do you do coin laundry when you don't have an internet connection? In the past, you did it with real coins, and those were a pain to deal with (given it costs like $5 now, that's

      • Just to be clear, you read the sentence "any security checks are done by the app on the user's device and are automatically trusted by CSC's servers," and your takeaway is that "Having the phone handle it means it can be done via an app with no internet connection"?

        I really need to know how you think a phone without an internet connection is then "automatically trusted by CSC's servers."

        • Easy, if it is trusted it doesn't need to be checked. So, naively giving them the benefit of the doubt, if the internet is down then the trusted phone app can make the washing machines go, for great profits and convenience and reliability and customer satisfaction. And then later tell the server what it did. It makes no sense to risk losing a customer and his friends over not wanting to spend $0.50 of water and electric, the 2,000% markup will quickly make up for it.

          Less naively, they're probably idiots.

          • Easy, if it is trusted it doesn't need to be checked. So, naively giving them the benefit of the doubt, if the internet is down then the trusted phone app can make the washing machines go

            Again: How is the phone app connecting to the washing machine IF THE INTERNET IS DOWN.

            It works like this:

            Phone -> Internet -> Server -> Washing Machine

            Internet access is a requirement.

    • Several web systems are being made like this nowadays. By a new generation of developers who have no idea what they are doing in a client-server environment and the worst part, they are too arrogant to realize it.
    • by sjames ( 1099 ) on Friday May 17, 2024 @05:42PM (#64480315) Homepage Journal

      The worst I have seen was a client-server setup where the server offered an authentication call but because of a design flaw, all it did is tell the client if the authentication was good. Either way, or even if authentication was skipped entirely, it would execute any commands sent to it. It was on the client to actually check for authentication and then refuse to send further commands if it failed.

      Not naming names due to NDA.

      • Once found that a newly installed system was running windows server. Administrator password was administratir. Sql server admin password was administrator. Vendor claimed the system couldn't work without those very passwords. Until i told him he was getting it all back. The code had to be rewritten in a hurry. This system was used to control swipe cards giving access to the dozen buildings.
  • by 93 Escort Wagon ( 326346 ) on Friday May 17, 2024 @02:01PM (#64479785)

    It's been exploited for years by college students all over the world - it's called "visiting your parents".

    • It's a little challenging if you didn't grow up in the University Town. I guess you could drive five or six hours to do your laundry... And this also assumes your parents aren't so broke they don't have their own washer and dryer.
    • That one worked well for me, and it wasn't even my idea! My mother *suggested* that I leave my laundry when I came home for dinner that first weekend . . .

      Of course, when I went south for law school, I was on my own, and my girlfriend (now wife) would actually break in to my apartment if I didn't hand the laundry over--apparently she was horrified by my wrinkles!

      and now I reminisce about those lazy days of college, hanging around the laundry room . . . wait, what??? just what is *wrong* with these kids?

      haw

      • ... and my girlfriend (now wife) would actually break in to my apartment if I didn't hand the laundry over--apparently she was horrified by my wrinkles!

        Given she's still married to you, and you're now retired... she must've finally gotten used to your wrinkles.

  • Long ago my University used these paper-like tickets for laundry. It was quite easy to pull them out and get free laundry, but if you didn't do it right, you'd jam the machine, disabling it. They finally got rid of those systems and just made laundry free, fixed the problem, no more laundry issues after. Just take it from our tuition.

    • Our dorm used plastic tokens that would be dispensed from some central site. (I assume the idea was to discourage people from prying open coin boxes on washers and dryers.)

      However, when we arrived we learned from the upperclassmen that you could make a wax mold from a real token, then manufacture all the free tokens you want from Elmer's Glue-All. Nobody I knew ever paid to do laundry, but the University never bothered to change out the system while I was there.

      Sometimes the glue tokens would jam the mechan

      • by _merlin ( 160982 )

        manufacture all the free tokens you want from Elmer's Glue-All

        But that takes time and Glue-All, right? Or was there some way of obtaining Glue-All for free?

        • But that takes time and Glue-All, right? Or was there some way of obtaining Glue-All for free?

          Yes it was essentially free. Of course I brought a bottle I scrounged from home along with other school supplies, but what else would I have used Glue-All for in college classes? I'm sure that the one bottle I had went bad before I finished it.

          Back then, time was essentially free. Dorm life had a prison-like economy: With room and board prepaid by parents, most people just had some pin money for beer. Everything was evaluated in terms of beer equivalents. Genuine tokens for a load of laundry cost at least 3

  • No doubt thousands of North Korean military uniforms will soon turn up in American laundromats.
  • ...said "thank you for potentially saving our entire business" by giving them $20 credit in free washes.

    That's $20 COMBINED, obviously. $10 each.

    • A couple years ago, my Apartment building replaced their coin-op washers with this system. You could pay "anonymously" at a kiosk using a credit card, or download the app on your phone and create an account. If you signed up for an account, they would give you a $5 credit.

      Believe me, the value of that reward doesn't even come close to being worth it. Why weren't they offered a bug bounty?
  • The UCSC security blog mentioned by TechCrunch has no record of the post about this discovery. Either CSC or UCSC has erased that evidence.
  • Dammit, I told them to STFU about it; I need free laundry, with the expensive tuition and all. Next ya know, they'll spill the free Top Ramen and condom dispenser bugs. Those are show-stoppers for me.

  • ...we'd buy cheap used records and cut them into quarter-sized blanks and feed the laundry machines with those. Kids these days with their fancy technology.
    • I didn't have that idea, but for me it was a coin on a long strip of sticky tape. Trigger the mechanism, and get your coin back. Repeat as needed.

    • ...we'd buy cheap used records and cut them into quarter-sized blanks and feed the laundry machines with those. Kids these days with their fancy technology.

      When I'd park on campus, you could pay an attendant cash. I had a $100 bill from my saving that I'd hand over, and they'd say "I can't cash that" and open the gate.

    • That you had money proved you weren't a student. ;)
  • Dude! Just shut up and keep giving us free laundry!
  • Progress... (Score:4, Funny)

    by joshuark ( 6549270 ) on Friday May 17, 2024 @05:17PM (#64480277)

    Progress...instead of laundering money with crypto-currency now doing laundry with a system bug. A total washout...

    JoshK.

  • ..realize.

    A typical commercial front load washer can use ~ 1,400 watts and a 4750 watts for the dryer on the low end.

    Assuming all 1,000,000 washers and dryers, around the world, there's the potential to create an instant grid load of 6 gigawatts during difficult situations like in the middle of summer as just as peak load occurs in the United States at 4pm-9pm. High enough load in specific regions of California, Texas, or similar, and sudden brownouts could occur, significantly damaging not only motor base

  • We humans have been laundering our clothes for THOUSANDS of years. Jesus did it. Look it up. It's in the bible. Also Abraham did it, and that's like in the first book of the bible. (Stop now if you're a maga and the only bible you have starts with "Trump said this...")

    During EXACTLY NONE of those times was it required that the facility providing that laundry (think "river" and "clay pot") have Internet access.

    This has been preached but the masses don't listen. If it doesn't need to be on the Internet

  • Students at UC Santa Cruz don't wear clean clothes.

  • Because that's how the US works. RIP Aaron Swartz.
  • I cannot find the students original article/presentation. Techcrunch states that they "disclosed their research in a presentation at their university cybersecurity club earlier in May" and has a link to https://slugsec.ucsc.edu/posts [ucsc.edu]. But there's nothing on that page at all regarding the hack, nor can I seem to find it anywhere else. Has it been taken down?
    • by at10u8 ( 179705 )
      The UCSC blog is down. The API URL at the company is down. Slashdot and Techcrunch are the only open evidence that this ever happened, but the API is loose out there. The lack of response for a period of months suggests that there can be no fix and that the deployed hardware now has net negative value which CSC is contractually obligated to keep running in order to service the needs of the users at each site.
  • by laughingskeptic ( 1004414 ) on Saturday May 18, 2024 @11:38AM (#64481349)
    that it does not know how dumb it is being. California's Unclaimed Property Law is going to bite them in 3 years when they have to transfer the balances of idle accounts to the state. Some hacker could sprinkle a lot of love around in the form of many small balances creating a giant time bomb for CSC ServiceWorks. This isn't even a technology issue, it is an old fashioned failure to recognize a financial risk.
  • Flaw is found that allows 20-somethings to down load all the 19th-century Slovakian polka tunes they want for free!

Hackers are just a migratory lifeform with a tropism for computers.

Working...