It’s not going to slice your head off with a chainsaw, but it’s still a pretty massive vulnerability.
If the WannaCry ransomware attack taught us anything, it’s that a sizable quantity of networked computers are running old, insecure software. You can now add car washes to the list of things vulnerable to a cyberattack.
Security researchers from Whitescope Security and QED Secure Solutions managed to hack into a car wash’s system and convince it to do things that could damage a vehicle and trap its occupants, Vice’s Motherboard reports. They’ll discuss their findings at the Black Hat security conference in Las Vegas this week.
The hack requires, obviously, an automatic car wash that’s connected to the internet — specifically, the PDQ LaserWash. Its system runs on the delightfully vintage Windows CE, and they contain a web server for remote monitoring and configuration. Trouble is, it’s not entirely secured, thanks to easy-to-guess default passwords, so someone can waltz on in and start sending commands to the wash.
The researchers managed to trick the bay doors into opening and closing with a vehicle underneath, ignoring sensors meant to prevent this and potentially causing damage. Hackers can also access the wash’s arm, which can strike the vehicle or constantly douse a door to prevent an occupant from exiting the vehicle.
Sadly, there’s no video of the hack taking place, because the owners of the car wash denied researchers the ability to post the video online. A spokesman for PDQ told Motherboard that the company is working to fix the security issue, which involves firewalling systems and changing default passwords, which is largely on the customer.
Just because your car might be protected against cyber attacks doesn’t mean you’re free and clear of danger. Perhaps it’s best to just hand-wash your car — unless you’re using a Wi-Fi-connected sponge with a default password, of course.