A pair of university students say they found and reported a security flaw earlier this year that could have allowed anyone to access laundry provided by more than a million internet-connected laundry machines in residence halls and college campuses around the world. Can avoid paying for.
Months later, the vulnerability remains open after CSC ServiceWorks repeatedly ignored requests to fix the flaw.
UC Santa Cruz students Alexander Sherbrooke and Iakov Taranenko told TechCrunch that the vulnerability they discovered would allow anyone to remotely send commands to CSC-powered laundry machines and operate the laundry cycle for free. Allows.
Sherbrooke said he was sitting on his basement laundry room floor one January morning with his laptop in hand and “suddenly had an ‘Oh S—’ moment.” From her laptop, Sherbrooke ran a script of code with instructions telling the machine to start a cycle despite having $0 in her laundry account. The machine immediately woke up with a loud beep and “Push Start” flashed on its display, indicating the machine was ready to load a load of laundry for free.
In another case, students added a direct balance of several million dollars to one of their laundry accounts, which was reflected in their csc go mobile app As if it’s a perfectly normal amount of money for a student to spend on laundry.
CSC Serviceworks is a large laundry service company, promote a network Over one million laundry machines were installed in hotels, university campuses and residences in the United States, Canada and Europe.
Since CSC ServiceWorks does not have a dedicated security page to report security vulnerabilities, Sherbrooke and Taranenko sent the company several messages through its online contact form in January but did not receive a response from the company. He said even a phone call to the company did not help him.
The students also sent their findings to Carnegie Mellon University’s CERT Coordination Center, which helps security researchers disclose flaws to affected vendors and provide fixes and guidance to the public.
The students are now revealing more about their findings after waiting longer than security researchers typically grant vendors to fix flaws before making them public. The pair first revealed their research in a presentation University Cyber Security Club Earlier in May.
It’s unclear who, if anyone, is responsible for cybersecurity at CSC, and CSC representatives did not respond to TechCrunch’s requests for comment.
Student researchers said the vulnerability is in the API used by CSC’s mobile app, go csc, An API allows apps and devices to communicate with each other over the Internet. In this case, the customer opens the CSC Go app to top up his account, make the payment and start the laundry at a nearby machine.
Sherbrooke and Taranenko found that CSC’s servers could be tricked into accepting orders that modified their account balances because any security checks were performed by the app on the user’s device and not CSC’s servers. Is automatically trusted by. This allows them to pay for laundry without depositing actual funds into their accounts.
By analyzing network traffic while logging in and using the CSC Go app, Sherbrooke and Taranenko discovered that they could bypass the app’s security checks and send commands directly to CSC’s servers, which were processed through the app. are not available.
Technology vendors like CSC are ultimately responsible for ensuring that their servers have proper security checks; Otherwise it is similar to a bank vault guarded by a guard who doesn’t bother to check who is allowed inside.
The researchers said potentially anyone could create a CSC Go user account and send commands using the API because the servers are not even checking whether new users have their email addresses. The researchers tested this by creating a new CSC account with a predefined email address.
With direct access to API and reference to CSC Your published list of commands to communicate with your serverThe researchers said it is possible to remotely locate and interact with “every laundry machine on the CSC ServiceWorks Connected Network.”
In practical terms, free laundry has a clear benefit. But researchers stressed the potential dangers of having bulky devices connected to the Internet and vulnerable to attacks. Sherbrooke and Taranenko said they were unaware of whether sending commands through the API could bypass the safety restrictions that come with modern washing machines to prevent overheating and fires. The researchers said that someone would have to physically press the start button of the washing machine to start the cycle; Until then, settings on the front of the laundry machine cannot be changed unless someone resets the machine.
CSC quietly wiped out the researchers’ multimillion-dollar account balances after reporting their findings, but the researchers said the bug was still not fixed and it was up to users to “freely” withdraw any funds themselves. It is possible to give.
Taranenko said he was disappointed that the CSC did not acknowledge his vulnerability.
“I don’t understand how such a big company makes mistakes like this and then has no way to contact them,” he said. “In the worst case, people can easily fill their wallets and the company loses a lot of money. Why not spend minimally on a single monitored security email inbox for this type of situation?”
But researchers are not disappointed by CSC’s lack of response.
“Since we’re doing this in good faith, I don’t mind waiting a few hours to call their help desk if that will help a company with its security issues,” Taranenko said. Said it was “fun to do this kind of security research in the real world, not just in simulated competitions.”
exclusive-two-students-uncover-security-bug-that-could-let-millions-do-their-laundry-for-free
