It can’t be said enough: if an object can be connected, it carries a security risk. Even commercial connected laundry machines have been found to be carrying a major security bug that allowed anyone to send commands remotely to the machines.
Tip: want to keep your PC protected? Try these Windows settings for free PC protection.
Two Students Find Security Bug in Laundry Machines
This issue was first found by two Califiornia college students, Alexander Sherbrooke and Iakov Taranenko. The former was sitting in the basement laundry room in January while on his laptop, trying to build an app to track the status of the laundry machines. He started to think about it, then ran some code instructions to one of the laundry machines to start a cycle, even though he had no balance in his laundry account. The machine started up and showed the message “Push Start.”
He and his friend tried adding a fake balance of 13 million dollars into a laundry account. It was detected in the machine’s mobile app as though he’d really deposited it. These vulnerabilities could lead to many things, but they could certainly allow students, or anyone, for that matter – to do their laundry for free.
FYI: learn what the Windows Security button is and how to use it.
Laundry Machines Security Bug Reported
Students Sherbrooke and Taranenko reported their findings to CSC ServiceWorks, a laundry service company that operates the machines. The company manages a network of more than a million of these machines that are found in hotels, universities, and residences in the United States, Canada, and Europe.
They couldn’t find a dedicated security page to report such things, so they sent several messages to an online contact form but never heard back from the company. It was also reported to the CERT Coordination Center at Carnegie Mellon University. CERT helps disclose security flaws.
It was noticed that commands could be sent to the machines’ servers, as security checks are on the user’s device in the app. CSC’s servers trust them with no questions asked. Once they looked at the network traffic, the two students found that they could get around the security checks and send the commands to the service. Email addresses used to create an account with the app also aren’t verified.
After the customary three months of waiting for the CSC to do something before going public with it, Sherbrooke and Taranenko are revealing more. They believe the vulnerability is in the API for the mobile app. CSC hasn’t done anything to fix the app, but they did wipe out the larger fake bank balance. However, smaller amounts of $50 to $100 remain in the account.
It needs to be noted that this security issue is on the entire network of devices – not just the ones at that particular college campus. That’s where it’s worrisome. If laundry machines have that security bug, think of how many other connected objects, that would otherwise be innocuous, have a security vulnerability. Read on to learn how to protect your privacy and security on Android.
Image credit: Unsplash
