Hackers can now target automatic car washes, potentially damaging cars and trapping occupants inside, according to the research of two IT experts.
Security researchers, Billy Rios, the founder of WhiteScope Security and Jonathan Butts, of QED Secure Solutions, discovered several vulnerabilities in automatic car wash systems and even hacked the widely used PDQ LaserWash system.
Once they got into the system, Rios said they had the ability to cause the car wash to strike the occupant.
Rios and Butts discovered the vulnerability in the PDQ System many years ago but it took them two years to find a willing car wash owner to let them test it out.
Rios said they notified PDQ about their findings and also submitted their research to the Department of Homeland Security.
“The car wash research shows that there are real safety issues associated with connected devices," Rios said. “We've written an academic law of Cyber Security Safety that describes some of the safety challenges associated with connected devices.”
Michael Cocanower with itSynergy said the problem is not just with the PDQ LaserWash systems, all automatic car washes connected to the internet are at risk.
“It's one thing that somebody has hacked into my baby camera and they’re watching what’s going on in my house,” Cocanower said. “Now you're talking about an industrial device that has mechanical parts that could actually be used to physically harm somebody.”
Cocanower said people shouldn’t be afraid to use these types of car washes, instead, it’s important to be aware of your surroundings.
“If you're going to a big name car wash, maybe you don't need to worry as much verses if you're going to a little one off in the middle of nowhere that's in a private convenience store.”
PDQ Manufacturing spokesperson Todd Klitzke released the following statement:
“PDQ takes safety and security issues very seriously. We have contacted our customers and distributors to outline steps that should be taken to strengthen their security and significantly reduce the risk of an unlawful intrusion. As we have advised our customers, all systems-especially internet-connected ones-must be configured with security in mind, including by ensuring that the systems are behind a network firewall and all default passwords are changed. Our technical support team is also standing by to support our customers as needed. We are diligently working on a software update, and will collaborate with the Department of Homeland Security’s ICS-CERT on amending its advisory when that update is available."
“We hope that people understand that there could be safety issues with connected devices,” Rios said. “As we move towards advanced artificial intelligence and robotics, I hope we take some time to think about the implications of what we are doing."