Cyberattacks on Car Washes

The height of the information security Summer convention season is coming to a close. The big buzz in the media was the voting machine hacking at DEFCON. I also wrote about Broadpwn here on Cylance's blog, which was presented at Black Hat USA 2017. Here's an interesting exploit that you may have missed if you didn't read July 28th's This Week in Security blog: car washes can be cyberattacked!

When I was a toddler, my parents told me a story: They took me through a car wash and I was absolutely terrified. The massive flaps that surrounded the windshield made it look as if the car we were in was being attacked by octopuses worthy of an old Japanese horror flick.

But that was in 1986, and very few people outside of academia or the military had Internet access. There certainly was no way for someone to acquire control of the car wash without physically being there. I really had nothing to worry about.

Turns Out, Car Washes Are Scary in 2017

We're now well into the 21st century. Not only can cars be cyberattacked, but also the machines that clean them. Billy Rios of Whitescope, and Jonathan Butts of the IFIP Working Group on Critical Infrastructure Protection found an easy exploit in PDQ LaserWash® systems. The LaserWash systems they researched have default passwords and have an ARM-based Windows CE implementation that Microsoft stopped supporting in 2013.

So what's the worst that can happen, you might ask. Might a car get lots of warm water but no soap? Alas, what Rios and Butts found was much worse. They found they could open and close the car wash bay doors on command, which could not only significantly damage a vehicle, but also the people inside of it.

“We’ve written an exploit to cause a car wash system to physically attack; it will strike anyone in the car wash,” Rios said. “We controlled all the machinery inside the car wash and could shut down the safety systems. You could set the roller arms to come down much lower and crush the top of the car, provided there were not mechanical barriers in place,” Butts added.

Add this to the list of Internet of Things (IoT) attacks, such as to medical equipment and car operation, that can seriously injure or kill people.

What was the default password that Rios and Butts used? 12345. With passwords that weak and Windows CE vulnerabilities so easy to find, it’s easy to see the real danger some of these IoT attacks can cause.

Perhaps especially concerning is the known vulnerability CVE-2008-2160. It allows arbitrary code to be executed from JPEG and GIF images. It's easy to turn images into Trojans, because file binding software is plentiful and free of charge. Sending image files to a car wash system is no longer a silly idea when you wonder why one would be on the Internet in the first place.

Manufacturer Response

LaserWash manufacturer PDQ responded to The Register:

“We are aware of the presentation at Black Hat USA 2017, and are diligently working on investigating and remediating these issues. As we have advised customers via a product security bulletin issued yesterday, all systems – especially Internet-connected ones, must be configured with security in mind. This includes ensuring that the systems are behind a network firewall, and ensuring that all default passwords have been changed. Prior to the Black Hat presentation, PDQ had been working with Industrial Control Systems Cyber Emergency Response Team to responsibly advise customers of mitigation measures, and PDQ continues to work with ICS-CERT on this matter. Our technical support team is standing ready to discuss these issues with any of our customers.”

As of this writing, there's still no patch for the LaserWash vulnerabilities.

More Unnecessary Risk in IoT Car Wash Bays

Not only is LaserWash Internet-connected, it also has a web interface that features a Twitter feed. I'm perplexed as to why something like that has to be in car wash software. We can add web exploits and Twitter-specific exploits to the Windows CE vulnerabilities that pertain to LaserWash.

Here's my advice. Don't put car wash systems on the internet. Unlike some types of IoT, it's totally frivolous and the possible risks are very real and worrisome. If the goal was to get email updates on the status of the car wash system, please remember that car washes could be maintained long before any Internet connection was possible.

If IoT car washes must exist (pro tip: they don’t), my advice is to make sure to change all default passwords and make all of your passwords as complex as possible, changing them at least once every three months. Passwords are a problematic authentication device, but if your system is built with them, then the same password policy wisdom that applies to anything else also applies to your car wash.

Also, don't buy a car wash that's built on an operating system that no longer receives security patches. If you work for a company that develops software for IoT car washes, choose a platform for your embedded OS that'll be well supported for many years to come.

Finally, if you develop software for IoT car washes, why does there need to be a web interface? If there really needs to be one, it should only be accessible from an internal network, not the Internet.

IoT car washes should also be penetration tested, just as any other IoT device must. A gas station or auto shop probably lacks the resources for hiring pentesters, so will likely be the responsibility of the OEM.

The growth of IoT means there will be many more strange demonstrations at information security conventions in the future. I fully expect to write about dry-cleaning system exploits in the near future and the potential steam burns that attackers could inflict upon unwitting customers. Stop connecting things to the Internet that don’t need to be connected to the Internet, please.