I just wait for it to rain, me.
Hackers can turn web-connected car washes into horrible death traps
Forget hijacking smart light bulbs. Researchers claim they can hack into internet-connected car wash machines from the other side of the world and potentially turn them into death traps. In a presentation at the Black Hat conference in Las Vegas on Wednesday, Billy Rios, founder of security shop Whitescope, and Jonathan Butts …
COMMENTS
-
-
Thursday 27th July 2017 20:59 GMT adnim
Meh
I just buy a new car for cash when the old one gets dirty ;-)
BTW.. hackers can bend anything web connected to their whim, if they are smarter than those that chose the OS, and set up the web interface.
Q: WinCE? Isn't there a more secure OS out there that is OSS?
A: Maybe... it depends how it is configured.
-
Friday 28th July 2017 10:06 GMT Anonymous Coward
Re: Meh
Q: WinCE? Isn't there a more secure OS out there that is OSS?
Possibly, but not even hackers will be immune to the depression and despair that sets in every time one tries to get something done with WinCE. Not so much security through obscurity, more security through induced suicide...
-
-
-
Friday 28th July 2017 02:51 GMT Teiwaz
Re: Automated car wash?
"I always go for the hand job."
I know there are bikini car washing services (allegedly, as not anywhere near where I've ever lived) - but how would that work?
Does someone get in the car with you?
Or is it some sort of pneumatic arm that gets fitted to the door like drive-in restaurant trays (a-la Flintstones).
-
-
Thursday 27th July 2017 21:21 GMT Anonymous Coward
"I just wait for it to rain, me."
I just have the car coated with that silicate protective stuff and then explain to anyone who looks like they deserve being bored silly that the car must not be cleaned too much to prevent it being washed away.
That's my excuse anyway.
But, you know, hackers are one thing but the people who use powerwashes on their cars don't seem to worry about the consequences of forcing water at pressure into bearings and under rubber boots, or washing off gritty particles at such pressure that they then score the paint. It seems people are quite capable of doing damage themselves.
-
-
-
Thursday 27th July 2017 21:36 GMT Spotswood
Add firewall. Whitelist owner IP address(es), or better, only allow connections secured by a VPN. Problem solved.
Having an unpatched web server accepting traffic from everywhere is bad karma, regardless of the underlying OS. I mean, a web server that's a control system that really only exists so a small subset of people can access it, really doesn't need to be open to the whole world. That's just lazy and asking for trouble.
-
Thursday 27th July 2017 21:38 GMT Anonymous Coward
You might not ever get rich.
But let me tell you it's better than digging a ditch.
Is it really Rose Royce? The internet has now changed that.
What's next heating systems and a disco inferno?
Ring my bell when people stop connecting stuff to the internet that doesn't need to be as I'd rather be stayin' alive.
Must go, I have the 70's on the other line.
-
Friday 28th July 2017 00:22 GMT tfewster
ROTM
FOIP (Fist Over IP) becoming a deadly reality - Now you can hit someone over the internet by controlling a device that moves. Earlier examples, like opening your victims CD tray to push their coffee into their lap, or opening a POS terminal cash drawer to punch them in the gut should have been a warning...
-
Friday 28th July 2017 01:21 GMT Anonymous Coward
"We are going to DIE!"
> “You could set the roller arms to come down much lower and crush the top of the car, provided there was not mechanical barriers in place.”
That does sound a lot scarier than having the washer doors scratch up your paint job. I'm not buying it tho. A top roller would be mostly counter-balanced so that a small lifting motor could do the job. The remaining weight would be sufficient to keep it pressed to the top of the car, but would not be enough to "crush" the top.
Alternatively it could be over-balanced so that the motor has to drive the roller down, but that too would be a fairly weak motor.
Over-designing the system with crushing capability would be pretty daft, and more expensive too, for no possible reason other than to crush tops.
-
Friday 28th July 2017 06:24 GMT Anonymous Coward
reminds me of when ...
in the days before self-serve petrol pumps, I worked at a garage in a university town to help pay for my tuition and an exotic motorcycle ... one day the professor of the psychology department, (who had just declined my entry to the honours course), came to wash his classic auto :) he stopped just beyond arm's reach to the coin slot ... had to get out to put the coins in ... got smartly back in and broke the window winding handle :) ...
-
Friday 28th July 2017 06:43 GMT TheElder
Re Stupid Password
"1-2-3-4-5? That's the stupidest combination I've ever heard of in my life!
Many years ago I was employed by a multinational corp. I was in an office with a bunch of text only terminals connected to a very early nationwide network. I was waiting for somebody to give me my new 4 digit employee number. While waiting I decided to see if I could do a little hacking. I sat at one of the terminals and typed 9999. Full admin privileges!
-
Friday 28th July 2017 07:08 GMT John Smith 19
"We controlled all..machinery inside the car wash and could shut down the safety systems,”"
It's that last part that makes this an epic fail.
I can (sort of) see a "test" mode where safety cutout switches are disengaged, like for an industrial dryer so it can be watched spinning while the door is open. AFAIK this needs the service engineer to be physically present and to physically do something to make it happen.
But allowing that to be engaged remotely? Are you f**king kidding me?
Monitor status of safety systems, yes. Change them remotely, no.
At heart we have a lot of mfg with the attitude "Security is not important. No one cares about our stuff enough to hack it. There's no money inside it"
They really don't get that if there's a server on the internet someone somewhere will want to know what it does and they will file that information for mischief or money.
BTW In a spirit of fairness other no longer supported insecure embedded OSes do exist.
-
Friday 28th July 2017 09:35 GMT Doctor Syntax
Re: "We controlled all..machinery inside the car wash and could shut down the safety systems,”"
"Monitor status of safety systems, yes. Change them remotely, no."
Basic rule: just because you can do something doesn't mean it's a good idea. And the converse also applies: just because it's not a good idea it doesn't mean you can't do it.
-
-
Friday 28th July 2017 07:51 GMT Dave K
Pathetic!
"The duo said they shared their findings with PDQ in February 2015, and kept trying to warn the biz for two years. It was only when their talk was accepted for Black Hat this year that the manufacturer replied to their emails"
Attitudes like this absolutely stink. The company has been aware of this flaw for over 2 years and never bothered to respond, never bothered to take it seriously, or contact customers to advise them on remediation etc.
I honestly feel that companies that treat disclosures like this in such a cavalier and dismissive matter deserve to be sued into oblivion - should anyone exploit the flaw that they've been fully aware of and have done nothing to guard against. Maybe even some legislation to make it clearly a criminal matter to ignore disclosures of security flaws would be a good idea.
-
Friday 28th July 2017 10:19 GMT ForthIsNotDead
If you're using WinCE to control a freaking CONTROL SYSTEM...
...then you really do deserve everything you get.
These systems should be controlled by robust PLCs. Not fragile PCs. That's not to say PLCs are perfect. We know that security is an issue with a lot of PLC manufacturers, but you can mitigate that with firewalls and VPNs, but they are thousands of times more reliable in terms of just keeping running than a leaky Windows operating system.
Add to the fact that the vendor was informed TWO YEARS ago by the black-hatters (sounds like a very white-hatty thing to do, IMO) and they clearly don't give a rats ass.
Then they have the balls to issue a statement saying that all washer systems should be firewalled! If I had one of those systems on my forecourt, my response would be "So when are YOU coming by to put a firewall in, then? Until then, the system is switched off at the main breaker, since world + dog will now be searching the internet for your fucking web-based carwash user interface."
You really can't make this shit up, can you?
-
Friday 28th July 2017 10:20 GMT VinceH
Optional
Reading this article, thinking back to the various issues with cars that can be hacked, along with many other things - and the growing obsession to connect anything and everything to the internet - I'm thinking that while Stephen King got the cause wrong, he managed to predict what the future could have in store for us in Maximum Overdrive.
-
Friday 28th July 2017 10:54 GMT Andy The Hat
Film, Book, Play?
Does this seem like something from a Stephen King novel? "Christine - This time the car gets it." Or "Saw 173 - All Washed Up"
Be great for getting rid of those "dirty scumbags" from the other gang with little or no evidence (if you use an anonymising system). Little bit of enticement, "Getta your big pappa's car washed here." then crush them, give them the brush off, blow them away, hang them out to dry and polish them off ...
-
Friday 28th July 2017 11:18 GMT John Smith 19
They gave the mfg 2 years to do something about this and the mfg did FA
Until they finally looked like they were facing public exposure to people who could use the information.
No Mr Mfg, you didn't think this is your problem, but it became your problem the moment you decided to let your machine be connectable to the internet.
Personally I don't want them to go out of business, but I suspect they sub-contracted this to someone else, leaving them to do the clanky, electromechanical bits (which can still be a PITA to get right).
If I'm right they have no one in house who understood what a s**tstorm this could cause.
But now they are about to find out.
-
-
Saturday 29th July 2017 06:41 GMT John Smith 19
"Probably give 'em a wide berth from now on."
Well that's the thing.
99% of the time going through a car wash will result in the outside of your car being cleaned and nothing else.
Unfortunately there is no sign on them that lights up saying "Now under remote control of homicidal nutjob, get out" for the other 1%.
Making the whole process a lot more "interesting" than most people would want it to be.
Depending on how widely this is reported in MSM this could do a lot of damage to the mfg reputation.
Which, given they had this information for 2 years, would be well deserved.
-