Two university students say they discovered and reported a security flaw earlier this year that allowed anyone to avoid paying for laundry provided by more than a million internet-connected washing machines in residence halls and college campuses around the world entire.
Months later, the vulnerability remains open after CSC ServiceWorks repeatedly ignored requests to patch the flaw.
UC Santa Cruz students Alexander Sherbrooke and Iakov Taranenko told TechCrunch that the vulnerability they discovered allows anyone to remotely send commands to CSC-managed washing machines and run cycles for free laundry.
Sherbrooke said he was sitting on the floor of his basement laundry room in the early hours of a January morning, with his laptop in hand and “suddenly had an ‘oh s…’ moment.” . From his laptop, Sherbrooke ran a code script with instructions telling the machine in front of him to start a cycle despite having $0 in his laundry account. The machine immediately woke up with a loud beep and flashed “PUSH START” on its screen, indicating that the machine was ready to wash a free load of laundry.
In another case, students added an apparent multi-million dollar balance to one of their laundry accounts, which was reflected in their CSC Go mobile app as if it were a sum quite normal amount of money a student spends on laundry.
CSC ServiceWorks is a leading laundry services company, boasting a network of more than one million washing machines installed in hotels, college campuses and residences throughout the United States, Canada and Europe.
Because CSC ServiceWorks does not have a dedicated security page for reporting security vulnerabilities, Sherbrooke and Taranenko sent the company several messages through its online contact form in January, but have not heard back from the company. . A phone call to the company got them nowhere either, they said.
The students also sent their findings to Carnegie Mellon University’s CERT Coordination Center, which helps security researchers disclose vulnerabilities to affected vendors and provide fixes and guidance to the public.
The students are now revealing more of their findings after waiting longer than the usual three months security researchers typically give vendors to patch flaws before making them public. The two men first revealed their research during a presentation to their university’s cybersecurity club earlier in May.
It’s unclear who, if anyone, is responsible for cybersecurity at CSC, and CSC representatives did not respond to TechCrunch’s requests for comment.
The student researchers said the vulnerability lies in the API used by CSC’s mobile app, CSC Go. An API allows apps and devices to communicate with each other over the internet. In this case, the customer opens the CSC Go app to top up their account with funds, pay and start a load of laundry on a nearby machine.
Sherbrooke and Taranenko discovered that CSC’s servers may have to accept commands that change their account balances because all security checks are performed by the app on the user’s device and are automatically approved by the CSC servers. This allows them to pay for laundry without actually putting actual funds into their accounts.
By analyzing network traffic while connected and using the CSC Go app, Sherbrooke and Taranenko discovered that they could bypass the app’s security controls and send commands directly to CSC’s servers, which are not not available through the app itself.
Technology providers like CSC are ultimately responsible for ensuring their servers perform appropriate security checks; otherwise, it’s like having a bank vault protected by a guard who doesn’t bother to check who is allowed in.
The researchers said anyone can create a CSC Go user account and send commands using the API, because the servers also don’t check whether new users have their email addresses. The researchers tested this by creating a new CSC account with a made-up email address.
With direct access to the API and referencing CSC’s own published list of commands to communicate with its servers, the researchers said it is possible to remotely locate and interact with “each washing machine on the CSC ServiceWorks connected network.
In practice, free laundry has an obvious advantage. But researchers highlighted the potential dangers of having heavy devices connected to the internet and vulnerable to attacks. Sherbrooke and Taranenko said they don’t know if sending commands through the API can bypass the safety restrictions imposed by modern washing machines to prevent overheating and fires. The researchers said someone would have to physically press the start button on the washing machine to start a cycle; Meanwhile, the settings on the front of the washing machine cannot be changed unless someone resets the machine.
CSC quietly wiped the researchers’ account balance of millions of dollars after reporting their findings, but the researchers said the bug was still not fixed and it was still possible for users to “freely” donate any amount of money.
Taranenko said he was disappointed that CSC did not recognize their vulnerability.
“I just don’t understand how a company this big makes these kinds of mistakes and then has no way of contacting them,” he said. “Worst case scenario, people can easily fill their wallets and the company loses a ton of money. Why not dedicate at least one monitored security inbox for this type of situation? »
But researchers are not deterred by CSC’s lack of response.
“As we are doing this in good faith, I don’t mind spending a few hours waiting to call their help desk if it can help a company with their security issues,” Taranenko said, adding that it was ” fun to be able to do this type of safety research in the real world and not just in simulated competitions.