TechInternet-connected washing machine security flaw

Internet-connected washing machine security flaw

Two students discovered a flaw in internet-connected washing machines that allowed for free laundry and account balance manipulation. Despite numerous reports, CSC ServiceWorks did not fix the problem for several months. The students emphasize that companies providing such services must pay more attention to security issues.

Internet-connected washing machine security flaw
Images source: © Unsplash | Florian Olivo

19 May 2024 16:16

Two students from the University of California, Santa Cruz, Alexander Sherbrooke and Iakov Taranenko, shared their discovery of a security flaw in internet-connected washing machines with TechCrunch. This flaw allows the unrestricted use of over a million washing machines worldwide in dormitories and residential complexes. Despite reporting the issue to CSC ServiceWorks, the company responsible for the machine's operation, the error remained unpatched for many months. The company ignored requests to fix it.

What was the security flaw in the internet-connected washing machines?

The students discovered that the CSC Go app's API could remotely send commands to the washing machines and manipulate the user's account balance without adding money. This allowed them to start a wash cycle for free and simulate having millions of dollars in their app account. CSC ServiceWorks, as the service provider, did not correctly check the security on their servers, constituting a severe failure to protect against unauthorized access. Despite attempts to contact and report the issue, the company did not respond to calls to fix the bug.

Unanswered, but hopeful for improvement

Despite no response from CSC ServiceWorks, the students remain hopeful that their discovery will help improve security. They express an understanding of the potential threats posed by the vulnerability of such devices to internet attacks. However, they stress that providers of such technologies should approach the security of their services with greater responsibility. The attitude of the young researchers shows that their commitment to security research has a benevolent goal. It also demonstrates their openness to collaborating with companies to eliminate similar flaws.

Faced with this situation, CSC ServiceWorks must address the reported security issues to ensure its users can use the services offered safely and fairly. This case highlights the need to improve cybersecurity practices in the consumer services sector.

Who are the young researchers who discovered the washing machine security flaw?

As mentioned, the young discoverers are students at the University of California, Santa Cruz. Alexander Sherbrooke is also the creator of the SlugSchedule app, which streamlines the class registration process at the university. The app offers quick course searches, schedule visualization, professor ratings from RateMyProfessors, and real-time tracking of available spots.

Iakov Taranenko is a co-founder of the UCSC Security Club, which organizes workshops and cybersecurity competitions. His team took second out of 80 teams in the MITRE Embedded Capture the Flag (eCTF) competition, designing a secure embedded system and analyzing and attacking competitors' projects. Additionally, in the NSA Codebreaker Challenge 2022, the UCSC team, including Taranenko, placed third out of 445 universities, solving tasks related to reverse engineering and cyberattack analysis.

© Daily Wrap
·

Downloading, reproduction, storage, or any other use of content available on this website—regardless of its nature and form of expression (in particular, but not limited to verbal, verbal-musical, musical, audiovisual, audio, textual, graphic, and the data and information contained therein, databases and the data contained therein) and its form (e.g., literary, journalistic, scientific, cartographic, computer programs, visual arts, photographic)—requires prior and explicit consent from Wirtualna Polska Media Spółka Akcyjna, headquartered in Warsaw, the owner of this website, regardless of the method of exploration and the technique used (manual or automated, including the use of machine learning or artificial intelligence programs). The above restriction does not apply solely to facilitate their search by internet search engines and uses within contractual relations or permitted use as specified by applicable law.Detailed information regarding this notice can be found  here.