Car wash hack could be the first to cause the Internet of Things to “physically attack someone”

Amid widespread concerns about the security of connected devices, security researchers have demonstrated that internet-connected car washes can be hacked to trap drivers, soak them with water, or even attack them with the wash bay doors, Kim Zetter reports at Motherboard.

Researchers from WhiteScope and QED Secure Solutions found a way to hijack internet-enabled automated car washes and tested their tactic on an actual system, using their own vehicle. The machines, PDQ LaserWashes—increasingly popular in the U.S. in part because they don’t rely upon attendants—run Windows CE and are connected to the internet so technicians can remotely service them. While they require a username and password, the default password is easily guessed, the researchers said. Once in through the web interface, they can take control of the whole system.

The car wash’s software tracks where a carwash is in its cycle, making it easy to know when the wash is about to end and a vehicle to exit. An attacker can send an instantaneous command to close one or both doors to trap the vehicle inside, or open and close one door repeatedly to strike the vehicle a number of times as a driver tries to flee.

They plan to present the attack at this week’s Black Hat security conference in Las Vegas, but say they’ve already shared the details of the vulnerability with the system maker and the Department of Homeland Security. “We believe this to be the first exploit of a connected device that causes the device to physically attack someone,” Billy Rios, the founder of Whitescope security, told Motherboard.SM