Hacked and Attacked - Connected Car Wash: Potential Hazards
By Robert Roman
Hacking is when computer experts use their technical knowledge to gain unauthorized access to data in a system. One common form of hacking is jackpotting, also known as a black box attack. This is where an ATM is targeted.
According to tech blog Zero Day Net, criminals use logic attacks and 0-day malware to exploit ATMs. Once a threat actor has established a connection and exploited the system, an ATM can be forced to spew out cash uncontrollably.
To make matters worse, these systems are sometimes compromised and then remotely controlled later when cash mules are waiting to grab the money.
Jackpotting and other forms of hacking have given rise to cyber security measures. For example, a penetration tester is an IT security expert who purposely seeks to breach defenses and exploit weaknesses in a computer system or network. A tester may be an employee, freelancer, or researcher.
Two such researchers are Billy Rios, founder of Whitescope Security, and Jonathan Butts of QED Secure Solutions.
According to tech blog Motherboard, Rios has exposed security problems over the years in drug-infusion pumps, airport x-ray machines, electronic door locks, alarm systems, lights, elevators, and video surveillance cameras.
CAR WASH VULNERABLE
Rios became interested in car washes after hearing about an accident that occurred years ago when technicians misconfigured an in-bay automatic wash in a way that caused the mechanical arm to strike a minivan and douse the family inside with water.
The driver damaged his vehicle as well as the car wash equipment as he accelerated quickly to escape.
Rios and colleagues examined the car wash software and presented findings about potential vulnerabilities at the Kaspersky Security Summit in Mexico in 2015.
Rios believed vulnerabilities would allow someone to hijack the system. However, this theory couldn’t be tested until 2017 when a facility in the State of Washington agreed to cooperate, using the researcher’s own pickup truck as the victim.
The subject car wash was a touchless in-bay equipped with bay doors that can be programmed to automatically open and close at the beginning and end of the day, and a touch-screen menu that allows drivers to choose their service without interacting with any workers.
According to Rios, the system ran on Windows CE and had a built-in web server that let technicians configure and monitor over the Internet — and therein lies the problem.
A dedicated hardware firewall is needed to prevent this connection and to also block threats to the open ports on the equipment.
Rios started his investigation by using the Shodan search engine, which looks for devices connected to the Internet such as webcams, printers, industrial control systems, and, in this case, car washes. The researchers found more than 150 of the subject car wash systems online.
SOFTWARE ATTACK SCRIPT
Subsequently, they wrote a fully automated software attack script that bypassed the authentication process and infrared sensors and disabled the software-based safety mechanism that normally prevents the mechanical arm from hitting a vehicle.
So disabled, an attacker could send an instantaneous command to close one or both of the bay doors to trap the vehicle inside, or open and close one door repeatedly to strike the vehicle a number of times or spew water continuously as a driver would try to flee.
The researchers reported these findings to the Department of Homeland Security and the car wash equipment vendor. The findings were also to be released in a report in conjunction with an upcoming Black Hat talk.
Black Hat USA is the world’s leading information-security event, providing attendees with the very latest in research, development, and trends.
A spokesperson for the car wash equipment vendor told Motherboard in an e-mail that it is “aware” of the Black Hat talk and is working on investigating and fixing the security issues with the system.
Following up on this, I found Rio’s paper “When IoT Attacks” and a draft copy of the Black Hat presentation, “Understanding the Safety Risk Associated with Connected Devices” by Billy Rios and Jonathan Butts, PhD.
EXTENT OF EXPLOITATION
In their paper, the authors assert that cyber physical systems, including everyday consumer products, are inherently vulnerable to hacking because software is used as a replacement for mechanical functions.
They also introduced the fundamental principle concerning the security and safety of cyber physical systems. The security law states mechanical functions of a cyber physical system are bounded only by physical limits of the hardware components.
The implication of this law is software that controls mechanical functionality can be manipulated to create any effect possible within the range of the hardware component’s physical capabilities.
In the presentation, the authors explained they look for devices connected to the Internet, in a public space/accessible to the general public, and how exploitation of the device can be leveraged to cause a safety concern.
They go on to describe that car wash systems are essentially industrial control systems (ICS) that can be exploited to attack people.
To illustrate, they provided an overview of how researchers remotely exploited an unaltered motor vehicle using less than $16,000 of wiTECH tools. wiTECH is a state-of-the art diagnostic system that has significantly improved automobile technicians efficiency by providing a secure wireless connection to the vehicle.
With such tools and an exploit code, all that is required to hack the system and physically attack occupants would be theIP address of the car wash.
Exploitation of the car wash included identifying hardware and software safety mechanisms, authentication by-pass, safety signals, and door and arm exploits.
The safety implications were that the researchers could trap an occupant inside the car wash, strike the vehicle or customer with bay door, and strike the vehicle or customer with an arm.
According to the authors, they believe this to be the first exploit of a connected device that causes the device to physically attack someone.
To paraphrase the car wash equipment spokesperson: All systems — especially Internet-connected ones — must be configured with security in mind.
This includes ensuring that the systems are behind a network firewall and ensuring that all default passwords have been changed.