Two students from the University of California, Santa Cruz have identified a security bug in internet-connected laundry machines that could potentially allow millions of users to conduct laundry services without payment.
This discovery was made by Alexander Sherbrooke and Iakov Taranenko, who explored the application programming interface (API) used by the machines’ associated app, finding that it was possible to execute commands remotely to operate the machines for free and to artificially increase the balance in a user’s laundry account to display millions of dollars.
The vulnerability exists in machines operated by CSC ServiceWorks, a company that claims to have over a million laundry and vending machines in various locations including colleges, multi-housing communities, and laundromats across the United States, Canada, and Europe. The students’ investigation into the machines revealed that the API allowed for unauthorized control and manipulation of the machines, presenting a significant oversight in the security of widely used internet-connected devices.
Despite the seriousness of their findings, Sherbrooke and Taranenko faced challenges in getting the company to acknowledge the issue. They reported the vulnerability to CSC ServiceWorks through emails and a phone call in January, but received no response. It was only after the students contacted TechCrunch that CSC ServiceWorks silently rectified the falsely inflated balances, though the company has not publicly commented on the matter.
Further scrutiny revealed that CSC ServiceWorks had a published list of commands for the API, which according to the students, could potentially allow access to all of CSC’s network-connected laundry machines. This situation underscores ongoing concerns regarding the security of the Internet of Things (IoT), where lax cybersecurity practices can lead to unauthorized access to various connected devices.
The incident highlights the vulnerability of IoT devices to security breaches which, in other cases, have allowed hackers or even company contractors to access sensitive information such as security camera footage or control over smart plugs. Typically, security researchers like Sherbrooke and Taranenko find these vulnerabilities and report them to the respective companies before they are exploited. However, the effectiveness of this process is limited if companies do not respond to such reports.
As of the latest updates, CSC ServiceWorks has not responded to inquiries from media outlets regarding their handling of the security flaw.
Related News:
Featured Image courtesy of vectorjuice on Freepik