CATEGORIES
home IT Infrastructure Security

Washing Machine Jailbreak Takes Millions Of Coin-Op Machines To The Cleaners

by Nathan OrdMonday, May 20, 2024, 01:54 PM EDT
students discover vulnerability in laundry machine software for free washes
Are you looking to get some laundry done on the cheap or, even better yet, free? It turns out a security flaw in a popular internet-connected laundry machine vendor could allow anyone to avoid paying the fee for washing or drying clothes. This vulnerability was reported to the vendor months ago and remains unfixed, allowing the unscrupulous to abuse the issue at their pleasure.

In January, UC Santa Cruz students Alexander Sherbrooke and Iakov Taranenko, with their curiosity and security-mindedness, were experimenting with laundry machines, believed to be at the university, run by a company called CSC ServiceWorks. In their tinkering, Sherbrooke made a discovery that allowed him to start up a laundry machine despite having no funds in his account. The duo's ingenuity was further demonstrated when they were able to add a several-million-dollar balance to their laundry accounts, which showed up in their CSC Go mobile app.

Subsequently, the students reported the vulnerabilities to the company through email as they do not have a dedicated security vulnerability reporting page. They also sent messages to the Computer Emergency Response Team Coordination Center at Carnegie Mellon University to help with responsible disclosure and vulnerability reporting. According to TechCrunch, the students have yet to hear back from CSC ServiceWorks either by email or phone call, the latter of which was also attempted.

After three months of waiting to publish, Sherbrooke and Taranenko have gone public with their findings, which were first shown off at their university cybersecurity club in May. It turns out the CSC mobile app API only does authentication checks on the app, and the servers inherently trust the messages, expecting them to already be authenticated. Setting aside the specific laundry machine instance, this raises concerns about IoT products in general, and large networks of interconnected devices like this. What’s next, dumping all the cans out of a soda machine because they are all interconnected? The Magic 8 Ball says potentially.
Tags:  security, cybersecurity, IoT
TOP CONVERSATIONS
You Next Copilot PC Platform
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment