Two students say they discovered and reported earlier this year a security flaw that allowed anyone to avoid paying for laundry provided by more than a million Internet-connected washing machines in residence halls and college campuses around the world.
Months later, the vulnerability remains open after CSC ServiceWorks repeatedly ignored requests to fix the flaw.
UC Santa Cruz students Alexander Sherbrook and Yakov Taranenko told TechCrunch that the vulnerability they discovered allows anyone to remotely send commands to CSC-controlled washing machines and run wash cycles for free.
Sherbrooke said he was sitting on the floor of his basement laundry room in the early hours of a January morning with his laptop in hand and “all of a sudden he had an ‘oh…'” moment. From his laptop, Sherbrooke runs a code script with instructions that tell the machine in front of him to start a cycle, even though he has $0 in his laundry account. The machine immediately wakes up with a loud beep and “PUSH START” flashes on the display, indicating that the machine is ready to wash a free amount of laundry.
In another case, students added an apparent multi-million dollar balance to one of their laundry accounts, which was reflected in their CSC Go mobile app as if it was a perfectly normal amount of money for a student to spend on laundry.
CSC ServiceWorks is a large laundry service company advertising a network of over a million laundry machines installed in hotels, college campuses and residences throughout the United States, Canada and Europe.
Because CSC ServiceWorks does not have a dedicated security page for reporting security vulnerabilities, Sherbrooke and Taranenko sent the company several messages through its online contact form in January, but did not hear back from the company. A phone call to the company also turned up nothing, they said.
The students also submitted their findings to Carnegie Mellon University’s CERT Coordination Center, which helps security researchers uncover flaws in affected vendors and provide fixes and guidance to the public.
The students are now revealing more about their findings after waiting longer than the usual three months that security researchers usually give vendors to fix flaws before going public. The pair first revealed their research in a presentation at their university’s cyber security club earlier in May.
It’s unclear who, if anyone, is in charge of cybersecurity at CSC, and CSC representatives did not respond to TechCrunch’s requests for comment.
The student researchers said the vulnerability was in an API used by CSC’s mobile app, CSC Go. An API allows applications and devices to communicate with each other over the Internet. In this case, the customer opens the CSC Go app to top up their account, pay and start loading laundry at a nearby machine.
Sherbrooke and Taranenko discovered that CSC’s servers could be tricked into accepting commands that changed their account balances because all security checks were performed by the app on the user’s device and automatically trusted CSC’s servers. This allows them to pay for laundry without actually putting real funds into their accounts.
By analyzing network traffic while logged in and using the CSC Go app, Sherbrooke and Taranenko discovered they could bypass the app’s security checks and send commands directly to CSC servers that weren’t accessible through the app itself.
Technology providers such as CSC are ultimately responsible for ensuring that their servers perform the correct security checks; otherwise it’s like having a bank vault guarded by a guard who doesn’t bother to check who’s admitted.
The researchers said that potentially anyone could create a user account on CSC Go and send commands using the API, since the servers also do not verify that new users own their email addresses. The researchers tested this by creating a new CSC account with a fictitious email address.
With direct API access and a reference to CSC’s own published list of commands to communicate with its servers, the researchers said it is possible to remotely locate and interact with “any washing machine in the connected CSC ServiceWorks network.”
Practically speaking, free laundry has an obvious benefit. But the researchers highlighted the potential dangers of having heavy-duty appliances connected to the Internet and vulnerable to attack. Sherbrooke and Taranenko said they didn’t know if sending commands through the API could bypass the safety restrictions that modern washing machines come with to prevent overheating and fires. The researchers said that someone would have to physically press the start button on the washing machine to start a cycle; until then, the settings on the front of the washing machine cannot be changed unless someone resets the machine.
CSC quietly wiped out the researchers’ multimillion-dollar account balance after they reported their findings, but the researchers said the bug remained unfixed and it was still possible for users to “freely” give themselves any amount of money.
Taranenko said he was disappointed that CSC did not recognize their vulnerability.
“I just don’t understand how a company this big makes mistakes like this and then has no way of contacting them,” he said. “In the worst case scenario, people could easily strain their wallets and the company could lose a lot of money. Why not spend the bare minimum to have a monitored security inbox for these types of situations?”
But the researchers aren’t fazed by the lack of response from CSC.
“Since we’re doing this in good faith, I don’t mind spending a few hours on hold to call their help desk if it would help a company with its security issues,” Taranenko said, adding that it’s “fun to you can do this kind of security research in the real world, not just in simulated racing.”
