A pair of college students say they found and reported earlier this year a security flaw that allowed anyone to avoid paying for laundry provided by more than a million Internet-connected washing machines in dorms and college campuses around the world.
Months later, the vulnerability remains open after the vendor, CSC ServiceWorks, repeatedly ignored requests to fix the flaw.
UC Santa Cruz students Alexander Sherbrooke and Iakov Taranenko told TechCrunch that the vulnerability they discovered allows anyone to remotely send commands to CSC-managed laundry machines and operate laundry cycles for free.
Sherbrooke said he was sitting on the floor of his basement laundry room in the early hours of a January morning with his laptop in his hand, and “suddenly had an 'oh s–' moment.” From his laptop, Sherbrooke ran a code with instructions that told the machine in front of him to start a cycle despite having $0 in his laundry account. The machine immediately woke up with a loud beep and displayed “PUSH START” on its screen, indicating that the machine was ready to wash a free load of clothes.
In another case, students added an apparent balance of several million dollars to one of their laundry accounts, which was reflected in their CSC Go Mobile App as if it were a completely normal amount of money for a student to spend on doing laundry.
CSC ServiceWorks is a large laundry services company, promoting a network of more than one million laundry machines installed in hotels, university campuses and residences in the United States, Canada and Europe.
Since CSC ServiceWorks does not have a dedicated security page for reporting security vulnerabilities, Sherbrooke and Taranenko sent the company several messages through its online contact form during January, but did not receive a response from the company. A phone call to the company also got them nowhere, they said.
The students also submitted their findings to Carnegie Mellon University's CERT Coordination Center, which helps security researchers reveal flaws to affected vendors and provide solutions and guidance to the public.
The students are now revealing more about their findings after waiting longer than the usual three months that security researchers typically give vendors to fix flaws before making them public. The couple first revealed their research in a presentation on their university cybersecurity club beginnings of May.
It is unclear who, if anyone, is responsible for cybersecurity at CSC, and CSC representatives did not respond to TechCrunch's requests for comment.
The student researchers said the vulnerability is in the API used by the CSC mobile app. CSC Go. An API allows applications and devices to communicate with each other over the Internet. In this case, the customer opens the CSC Go app to replenish funds into their account, pay, and start washing clothes in a nearby machine.
Sherbrooke and Taranenko discovered that CSC servers can be tricked into accepting commands that change their account balances because the security checks are performed by the app on the user's device and are automatically trusted by CSC servers. This allows them to pay for laundry without having to put actual funds into their accounts.
By analyzing network traffic while logged in and using the CSC Go app, Sherbrooke and Taranenko discovered that they could bypass the app's security controls and send commands directly to CSC's servers, which are not available through the app. per se.
technology providers like CSC are ultimately responsible for ensuring that their servers perform appropriate security checks; Otherwise, it's like having a bank vault protected by a guard who doesn't bother to check who can enter.
The researchers said potentially anyone can create a CSC Go user account and send commands using the API because the servers also do not check whether new users have their email addresses. The researchers tested this by creating a new CSC account with a made-up email address.
With direct access to the API and reference to CSC own published list of commands to communicate with your serversThe researchers said it is possible to remotely locate and interact with “every laundry machine on the connected CSC ServiceWorks network.”
In practice, doing free laundry has obvious advantages. But the researchers emphasized the potential dangers of having heavy appliances connected to the Internet and vulnerable to attacks. Sherbrooke and Taranenko said they did not know whether sending commands through the API can bypass the safety restrictions that come with modern washing machines to prevent overheating and fires. Researchers said someone would have to physically press the start button on the washing machine to start a cycle, until then the settings on the front of the washing machine cannot be changed unless someone resets the machine.
CSC quietly deleted the researchers' multimillion-dollar account balance after they reported their findings, but the researchers said the bug has not yet been fixed and it is still possible for users to “freely” give away any amount. of money.
Taranenko said he was disappointed that the CSC did not recognize his vulnerability.
“I just don't understand how a company that big makes those kinds of mistakes and then has no way to contact them,” he said. “In the worst case, people can easily load their wallets and the company loses a lot of money, why not spend a minimum of having a single monitored security email inbox for this type of situation? “
But investigators are not intimidated by the CSC's lack of response.
“Since we're doing this in good faith, I don't mind spending a few hours waiting to call their help desk if it could help a company with its security issues,” Taranenko said, adding that it was “fun.” being able to do this type of safety research in the real world and not just in simulated competitions.”
