Highlights:
Two Students Find Security Bug That Could Let Millions Do Laundry for Free
20/5/24
By:
Amitabh Srivastav
Who could have seen a free laundry exploit for internet-connected laundry machines coming?
A security vulnerability in internet-connected laundry machines has been uncovered by two University of California, Santa Cruz students, potentially allowing millions to do their laundry for free. According to TechCrunch, the exploit was discovered in machines owned by CSC ServiceWorks, a company with over a million laundry and vending machines across colleges, multi-housing communities, laundromats, and other locations in the US, Canada, and Europe.
The Discovery:
Alexander Sherbrooke and Iakov Taranenko identified a flaw in the API used by the machines’ app. This vulnerability allowed them to:
Remotely start the washing machines without payment.
Manipulate laundry accounts to show an exorbitant amount of funds, essentially providing unlimited free laundry services.
Despite the serious implications, CSC ServiceWorks did not respond when Sherbrooke and Taranenko reported the issue via emails and a phone call in January. After their attempts to communicate were ignored, the students noticed that their false millions were quietly erased, indicating that CSC had taken some action but still failed to acknowledge or address the issue publicly.
Security Implications:
This lapse in security highlights ongoing concerns with the Internet of Things (IoT). The machines' vulnerability is a stark reminder of how interconnected devices, from laundry machines to security cameras, can pose significant risks if not properly secured.
Sherbrooke and Taranenko found that CSC's published list of commands could connect to all of its network-connected laundry machines, exposing a major security hole. The lack of response from CSC is troubling and points to a broader issue within the IoT industry, where companies sometimes fail to adequately address or even acknowledge security flaws.
Broader Context:
The incident with CSC ServiceWorks is not an isolated case. Similar vulnerabilities have been exploited in other IoT devices, leading to unauthorized access and privacy breaches. For example:
Hackers and even company contractors have been able to view live feeds from security cameras.
Unauthorized individuals have gained control over smart plugs and other home automation devices.
Often, these security gaps are identified and reported by diligent security researchers before they can be widely exploited. However, the effectiveness of such reports depends on the responsiveness of the companies involved. CSC's apparent lack of communication with Sherbrooke and Taranenko is a prime example of how these issues can be mishandled.
Moving Forward:
This incident underscores the necessity for robust security measures in the development and deployment of IoT devices. Companies must take proactive steps to secure their devices and respond promptly to vulnerabilities reported by security researchers. As IoT continues to expand, the potential for such exploits will only grow, making cybersecurity an increasingly critical field.
For consumers, this serves as a reminder to be cautious with IoT devices and to stay informed about the security practices of the products they use. It's also a call to action for better regulation and standards in the IoT industry to protect users from such vulnerabilities.
In summary, while the discovery of this laundry machine exploit by two savvy students is alarming, it highlights a critical need for better security practices and responsiveness in the rapidly growing world of interconnected devices.
All images used in the articles published by Kushal Bharat Tech News are the property of Verge. We use these images under proper authorization and with full respect to the original copyright holders. Unauthorized use or reproduction of these images is strictly prohibited. For any inquiries or permissions related to the images, please contact Verge directly.
Latest News