Washing Machine Jailbreak Takes Millions Of Coin-Op Machines To The Cleaners

students discover vulnerability in laundry machine software for free washes
Are you looking to get some laundry done on the cheap or, even better yet, free? It turns out a security flaw in a popular internet-connected laundry machine vendor could allow anyone to avoid paying the fee for washing or drying clothes. This vulnerability was reported to the vendor months ago and remains unfixed, allowing the unscrupulous to abuse the issue at their pleasure.

In January, UC Santa Cruz students Alexander Sherbrooke and Iakov Taranenko, with their curiosity and security-mindedness, were experimenting with laundry machines, believed to be at the university, run by a company called CSC ServiceWorks. In their tinkering, Sherbrooke made a discovery that allowed him to start up a laundry machine despite having no funds in his account. The duo's ingenuity was further demonstrated when they were able to add a several-million-dollar balance to their laundry accounts, which showed up in their CSC Go mobile app.

Subsequently, the students reported the vulnerabilities to the company through email as they do not have a dedicated security vulnerability reporting page. They also sent messages to the Computer Emergency Response Team Coordination Center at Carnegie Mellon University to help with responsible disclosure and vulnerability reporting. According to TechCrunch, the students have yet to hear back from CSC ServiceWorks either by email or phone call, the latter of which was also attempted.

After three months of waiting to publish, Sherbrooke and Taranenko have gone public with their findings, which were first shown off at their university cybersecurity club in May. It turns out the CSC mobile app API only does authentication checks on the app, and the servers inherently trust the messages, expecting them to already be authenticated. Setting aside the specific laundry machine instance, this raises concerns about IoT products in general, and large networks of interconnected devices like this. What’s next, dumping all the cans out of a soda machine because they are all interconnected? The Magic 8 Ball says potentially.