Two college students discovered a security flaw earlier this year that could allow anyone to avoid paying for laundry, which is served on more than 1 million internet-connected washing machines in homes and university campuses around the world. and reported it.
Months later, the vulnerability remains unresolved after the vendor, CSC ServiceWorks, repeatedly ignored requests to fix the flaw.
University of California, Santa Cruz students Alexander Sherbrooke and Yakov Taranenko told TechCrunch that the vulnerability they discovered allows anyone to remotely send commands to CSC-operated washing machines and get free laundry. He said he would be able to manipulate the cycle.
Sherbrooke said she was sitting on her basement laundry room floor with her laptop early one morning in January when she “suddenly had an 'ah-ha' moment.” From his laptop, Mr. Sherbrooke ran his script of code that told the machine in front of him to start a cycle, even though his laundry account balance was $0. The machine immediately started up with a loud beep and flashed “PUSH START” on the display, indicating that the washer was ready to wash freely.
In another case, students added an ostensibly multi-million dollar balance to one of their laundry accounts, which was reflected in the CSC Go mobile app as if it were a perfectly normal amount for students to spend on laundry. Ta.
CSC ServiceWorks is a leading laundry services company with a network of more than 1 million washing machines installed in hotels, university campuses, and residences throughout the United States, Canada, and Europe.
CSC ServiceWorks does not have a dedicated security page to report security vulnerabilities, so Sherbrooke and Taranenko sent several messages through the company's online contact form in January, but received no response from the company. There was no. He said he called the company but got no response.
The students also submitted their findings to Carnegie Mellon University's CERT Coordination Center. This center helps security researchers disclose flaws to affected vendors and provide fixes and guidance to the public.
After waiting longer than the usual three months that security researchers typically take to allow vendors to fix flaws before publishing them, the students are now revealing more about their findings. The pair first revealed their research in a presentation at the university's Cybersecurity Club in early May.
It's unclear who, if anyone, is responsible for CSC's cybersecurity, and a CSC representative did not respond to TechCrunch's request for comment.
According to student researchers, the vulnerability exists in an API used by CSC's mobile app, CSC Go. APIs allow apps and devices to communicate with each other over the Internet. In this case, the customer opens her CSC Go app, replenishes her account, makes a payment, and starts washing at a nearby machine.
Sherbrooke and Taranenko argue that security checks are performed by an app on a user's device and are automatically trusted by CSC's servers, so CSC's servers could be tricked into accepting commands to change account balances. I discovered that it is possible. This allows you to pay for your laundry without actually having to put actual funds into your account.
By analyzing network traffic while logged in and using the CSC Go app, Sherbrooke and Taranenko bypassed the app's security checks and sent commands directly to CSC's servers that were not available in the app itself. I discovered that it can be done.
Technology vendors like CSC are ultimately responsible for ensuring that their servers run appropriate security checks. Otherwise, it would be like having a security guard guarding a bank vault and not bothering to check who can get in.
Researchers say the server also doesn't check whether a new user owns their email address, potentially allowing anyone to create a CSC Go user account and send commands using the API. He said there is. The researchers tested this by creating a new CSC account for him using a fictitious email address.
Researchers remotely locate and operate “all washing machines on the network connected to CSC ServiceWorks” by directly accessing the API and referencing CSC's proprietary list of public commands to communicate with the server. states that it is possible.
The truth is, free laundry has clear benefits. However, researchers highlighted the potential dangers of connecting rugged home appliances to the internet, making them vulnerable to attack. Sherbrooke and Taranenko said they don't know if sending commands through an API can circumvent the safety restrictions modern washing machines have in place to prevent overheating and fires. The researchers said someone must physically press the start button on the washer to start the cycle, and until then, settings on the front of the washer cannot be changed unless someone resets the machine.
CSC secretly erased millions of dollars in researchers' account balances after they reported their findings, but the bug remained unfixed, allowing users to “freely” give away as much money as they wanted remains possible, the researchers said.
Taranenko said he was disappointed that the CSC did not acknowledge their vulnerability.
“I don't understand how a company this big could make a mistake like that and then have no way to contact them,” he says. “In the worst-case scenario, people can easily stuff their wallets with money and the company loses a lot of money. To prepare for this kind of situation, he has set up a minimally monitored security email inbox. How about preparing one?”
But researchers were undaunted by the lack of response from CSC.
“We do this in good faith, so if you're solving a security problem for a company, you don't mind waiting a few hours to call the help desk,” Taranenko said, adding, “It's fun. '' he added. You can conduct this type of security research in the real world, not just in mock competitions. ”