Share this post

Stick to the hand wash

Beware of the killer car wash

Anything which is connected to the internet is open to being hacked but a demonstration at Black Hat (think Ted Talks for hackers) has potentially opened up a whole new world of pain for motorists.

Two cybersecurity experts, Jonathan Butts of the International Federation for Information and fellow researcher Billy Rios of online security firm Whitescope, presented a talk on how they hacked an internet enabled carwash.

PDQ, a company based in Wisconsin USA, make the Laserwash system which is used extensively throughout the States.  Owners of the carwash can use a web-based interface to monitor and control the machinery.

roller in carwash

The system is built on WinCE which is no longer supported by Microsoft and Rios and Butts figured it could be easily manipulated.  The duo claimed PDQ ignored the issues despite being warned about the flaws in their system as far back as 2015.

In the event Rios and Butts didn’t have to work too hard to make their point as they hacked into a carwash which still had the default password of 12345.

Once inside the system they could do as they wished with Rios saying: “We’ve written an exploit to cause a car wash system to physically attack; it will strike anyone in the car wash.” Nice.

The pair also said they could control the roller arms to potentially crush a car.  Unsurprisingly, PDQ have been a little tight-lipped about the whole episode.

There is no statement on their website, and certainly not on their blog which has been updated five times in two years but, to be fair, there is a warning on their front page about ensuring secure firewalls are set up and changing the default password.

Change your passwords people

Indeed the big thing to take away from this whole episode, apart from the scary thought that killer carwashes could actually be a thing, is to change the default password on every internet enabled device you have.

Honestly, if your password is 12345 you deserve to get hacked whether the password is protecting your bank account (please no), your baby monitor or the PDQ carwash you’ve installed in the garage.

Share this post

Craig Ellyard

Token old guy in the office and lifelong Hull City fan with all the psychological issues that brings. To relax I enjoy walking my two Labradors, as well as running and cycling.

No comments

Add yours