“The Internet of Every Little Thing. That is what they should have called it. Or the Internet of Cookies & Ice Cream. That screams out: Trust us! You’ve got nothin’ to hide if you’ve got nothin’ to hide. But Jesus, they do suck up every single piece of data. And if you don’t like it? Too bad. Man up and shut up, pussy willow. Keep your head down and your mouth shut…” Excerpt: Hawkins Bay
26 July 2017 | Kim Zetter| Motherboard
The security problems found in internet-enabled medical equipment and cars in recent years have raised a lot of awareness about the public safety risks of connected devices. But it’s not just life-saving implements and fast-moving vehicles that pose potential harm.
A group of security researchers have found vulnerabilities in internet-connected drive-through car washes that would let hackers remotely hijack the systems to physically attack vehicles and their occupants.
The vulnerabilities would let an attacker open and close the bay doors on a car wash to trap vehicles inside the chamber, or strike them with the doors, damaging them and possibly injuring occupants.
“We believe this to be the first exploit of a connected device that causes the device to physically attack someone,” Billy Rios, the founder of Whitescope security, told Motherboard. Rios conducted the research with Jonathan Butts of QED Secure Solutions. They plan to discuss their findings this week at the Black Hat security conference in Las Vegas.
Rios, working at times alone and with colleagues, has exposed many security problems over the years in drug-infusion pumps that deliver medicine to hospital patients; in airport x-ray machines designed to detect weapons; and in building systems that control electronic door locks, alarm systems, lights, elevators, and video surveillance cameras.
This time his focus was on the PDQ LaserWash, a fully-automated, brushless, touchless car wash system that sprays water and wax through a mechanical arm that moves around a vehicle. PDQ car washes are popular throughout the US because they don’t require attendants to operate.
Many of the facilities have bay doors at the entrance and exit that can be programmed to automatically open and close at the start and end of a day, and a touchscreen menu that allows drivers to choose their cleaning package without interacting with any workers.
The systems run on Windows CE and have a built-in web server that lets technicians configure and monitor them over the internet. And herein lies the problem.
Rios says he became interested in the car washes after hearing from a friendabout an accident that occurred years ago when technicians misconfigured one in a way that caused the mechanical arm to strike a minivan and douse the family inside with water. The driver damaged the vehicle and car wash as he accelerated quickly to escape.
Join the Hawkins Bay Revolution. Before it is banned. Or tossed in the bonfire.