Two American students discovered a security flaw allowing anyone to avoid paying for laundry detergent provided by more than a million washing machines connected to the Internet. The company that operates them does not deign to respond to them.
CSC ServiceWorks describes itself as the leading provider of commercial laundry services and airline distribution solutions in the United States, Canada and Europe. Its washing machines equip residences, hotels and universities around the world, but clearly the security of its devices is not a priority.
In January, two University of California students, Alexander Sherbrooke and Iakov Taranenko, managed to activate a machine by running a code script, despite the fact that their linked account was dry. They later added a multimillion-dollar virtual balance to one of their laundry accounts, allowing them to access it through the CSC Go app.
An API story
According to the students, the vulnerability is in the API used by the mobile application, which offers the ability to top up your account, pay and start laundry on a nearby machine. The company’s servers can indeed be tricked into accepting commands that change the account balance, because security checks are carried out by the application through the user’s device and then are automatically approved by the servers.
Sherbrooke and Taranenko were able to bypass the app’s security controls and send commands directly to the CSC’s servers, which are not available through the app itself. Technically, anyone can activate a company machine without paying or creating a fake account at CSC Go, as the servers also do not check whether new users own their email address.
The students wanted to alert the company through messages and phone calls. If their requests have remained unanswered until today, the firm took care to withdraw the balance of several million dollars from their account. They decided to reveal their discovery to the media to get management to react.
Potential hazards
The ability to activate a machine for free seems harmless, but the vulnerability of such devices still presents dangers. For example, sending commands through the API is likely to bypass safety restrictions that washing machines are equipped with to prevent overheating and fires.
“ I don’t understand how such a large company can make these kinds of mistakes and have no way to contact them », Regrets Taranenko.
This case highlights the need to provide sufficient security controls for connected objects. It has already happened that hackers have managed to activate cameras from abroad or even gain access to smart sockets.
Source : TechCrunch
2