Two UC Santa Cruz student researchers Alexander Sherbrooke, and Iakov Taranenko, found a security flaw that puts over a million laundry machines operated by CSC ServiceWorks at risk of giving away free laundry cycles, TechCrunch reports.
Typically, people who want to use the company"s services install its CSC Go app on their phone, load the balance, and start a laundry cycle on a machine nearby. Anyone with the required knowledge can exploit the bug to get free laundry by remotely sending commands to the internet-connected machines operated by the 90-year-old company in residences, hotels, and college campuses across the US, Canada, and Europe.
It all started earlier this year in January when Sherbrooke was sitting in his basement laundry room with his laptop during the early hours. With no balance in his account, he tried to run a code script that commands the machine in front of him to run a laundry cycle, and it worked. Furthermore, the students were able to add millions of dollars to one of their laundry accounts, which also appeared in the CSC Mobile Go app.
According to the student duo, the company remains ignorant about the bug"s existence and requests to fix it. They tried to reach out to CSC ServiceWorks earlier in January through multiple channels such as sending several messages through its online contact form and making a phone call that went unanswered.
The company doesn"t have a dedicated security page to report security vulnerabilities. While it didn"t respond to the student researchers, CSC ServiceWorks deleted the massive account balance after they reported their findings.
However, the bug remains unfixed and they can add any amount of money. It"s not known if the company is working on a fix internally.
As per the duo, the vulnerability exists in an API used by the mobile app, which helps devices and apps to talk to each other over the internet. They found out they could send commands to CSC"s servers directly, dodging the app"s security checks.
The student researchers told the publication that it"s possible to find and interact with virtually "every laundry machine on the CSC ServiceWorks connected network” by exploiting direct access to the API and a publicly available list of server commands published by the company.
Security researchers typically wait for three months before making their findings public. The student duo said they waited more than that and presented their findings at the university cybersecurity club earlier this month. They also shared their findings with the CERT Coordination Center at Carnegie Mellon University, which provides guidance and helps security researchers disclose vulnerabilities to vendors.
Source: TechCrunch