Internet-connected washing machine security flaw
Two students discovered a flaw in internet-connected washing machines that allowed for free laundry and account balance manipulation. Despite numerous reports, CSC ServiceWorks did not fix the problem for several months. The students emphasize that companies providing such services must pay more attention to security issues.
Two students from the University of California, Santa Cruz, Alexander Sherbrooke and Iakov Taranenko, shared their discovery of a security flaw in internet-connected washing machines with TechCrunch. This flaw allows the unrestricted use of over a million washing machines worldwide in dormitories and residential complexes. Despite reporting the issue to CSC ServiceWorks, the company responsible for the machine's operation, the error remained unpatched for many months. The company ignored requests to fix it.
What was the security flaw in the internet-connected washing machines?
The students discovered that the CSC Go app's API could remotely send commands to the washing machines and manipulate the user's account balance without adding money. This allowed them to start a wash cycle for free and simulate having millions of dollars in their app account. CSC ServiceWorks, as the service provider, did not correctly check the security on their servers, constituting a severe failure to protect against unauthorized access. Despite attempts to contact and report the issue, the company did not respond to calls to fix the bug.
Unanswered, but hopeful for improvement
Despite no response from CSC ServiceWorks, the students remain hopeful that their discovery will help improve security. They express an understanding of the potential threats posed by the vulnerability of such devices to internet attacks. However, they stress that providers of such technologies should approach the security of their services with greater responsibility. The attitude of the young researchers shows that their commitment to security research has a benevolent goal. It also demonstrates their openness to collaborating with companies to eliminate similar flaws.
Faced with this situation, CSC ServiceWorks must address the reported security issues to ensure its users can use the services offered safely and fairly. This case highlights the need to improve cybersecurity practices in the consumer services sector.
Who are the young researchers who discovered the washing machine security flaw?
As mentioned, the young discoverers are students at the University of California, Santa Cruz. Alexander Sherbrooke is also the creator of the SlugSchedule app, which streamlines the class registration process at the university. The app offers quick course searches, schedule visualization, professor ratings from RateMyProfessors, and real-time tracking of available spots.
Iakov Taranenko is a co-founder of the UCSC Security Club, which organizes workshops and cybersecurity competitions. His team took second out of 80 teams in the MITRE Embedded Capture the Flag (eCTF) competition, designing a secure embedded system and analyzing and attacking competitors' projects. Additionally, in the NSA Codebreaker Challenge 2022, the UCSC team, including Taranenko, placed third out of 445 universities, solving tasks related to reverse engineering and cyberattack analysis.