Discovery of the Flaw

In early January, Alexander Sherbrooke and Iakov Taranenko, two university students from UC Santa Cruz, discovered a significant security vulnerability in the internet-connected laundry machines managed by CSC ServiceWorks. This flaw allows anyone to remotely command the machines to operate laundry cycles for free. The students stumbled upon this vulnerability while conducting research and immediately recognized its potential for misuse.

 

The Eureka Moment

Sherbrooke described the moment of discovery as surreal. "I was sitting on the floor of my basement laundry room with my laptop and suddenly had an ‘oh s—’ moment,” he recalled. By running a simple script, Sherbrooke was able to instruct the laundry machine to start a cycle despite having no funds in his laundry account. The machine responded instantly, prompting him to “PUSH START” for a free laundry cycle.

 

Exploiting the Flaw

In another experiment, Sherbrooke and Taranenko managed to inflate one of their laundry accounts with several million dollars, a balance that appeared normal in the CSC Go mobile app. This demonstrated the severity of the vulnerability, highlighting that anyone could exploit the flaw to access unlimited laundry services without paying.

 

Reporting the Issue

Despite the critical nature of their discovery, CSC ServiceWorks did not have a dedicated security reporting page. The students attempted to report the flaw through the company’s online contact form and even made a phone call, but they received no response. Frustrated by the lack of acknowledgment, they turned to the CERT Coordination Center at Carnegie Mellon University, which assists in disclosing security vulnerabilities.

 

Public Disclosure

After waiting beyond the typical three-month period that security researchers allow for vendors to address issues, Sherbrooke and Taranenko revealed their findings publicly. They first presented their research at their university's cybersecurity club in May. Their presentation outlined how the vulnerability in the CSC Go app's API allowed them to bypass security checks and send commands directly to CSC’s servers.

 

Technical Details of the Flaw

The flaw lies in the API used by the CSC Go app, which communicates with laundry machines over the internet. When users top up their accounts or start laundry cycles through the app, the API sends commands to CSC's servers. The students discovered that the app performs security checks locally on the user's device, and CSC’s servers automatically trust these checks. By intercepting and manipulating the network traffic, Sherbrooke and Taranenko could bypass the app's security and send unauthorized commands to the servers.

 

Potential Risks and Impact

While free laundry might seem like a harmless benefit, the researchers emphasized the broader risks. The vulnerability could potentially allow malicious actors to control heavy-duty appliances, posing safety hazards such as overheating and fires. Although the machines require a physical button press to start a cycle, the ability to manipulate settings remotely without oversight is concerning.

 

CSC’s Response and Inaction

Following their report, CSC quietly reset the inflated account balance but did not fix the underlying vulnerability. The lack of response from the company left the students disheartened. Taranenko expressed his frustration, questioning how a company of CSC's size could overlook such critical security flaws and fail to provide a means for reporting them.

 

Moving Forward

Despite the lack of response from CSC, Sherbrooke and Taranenko remain committed to ethical hacking and improving cybersecurity. They believe their efforts, though unacknowledged, highlight the importance of robust security practices in connected devices. Taranenko noted the experience as valuable real-world practice, contrasting it with simulated cybersecurity competitions.

 

Conclusion

The discovery by Sherbrooke and Taranenko underscores the vulnerabilities present in IoT devices and the importance of responsive security protocols. Their experience serves as a reminder for companies to maintain open channels for reporting security issues and to take prompt action in addressing them. As technology continues to advance, ensuring the security of interconnected devices will be crucial in preventing exploitation and maintaining user trust.