TechInternet-connected washing machines flaws expose security lapse

Internet-connected washing machines flaws expose security lapse

Two students discovered a flaw in internet-connected washing machines that allowed for free laundry and account balance manipulation. Despite numerous reports, CSC ServiceWorks has been unable to fix the problem for months. The students emphasize that companies providing such services must pay more attention to security issues.

Internet-connected washing machines flaws expose security lapse
Images source: © Unsplash | Florian Olivo

19 May 2024 22:07

Two students from the University of California, Santa Cruz, Alexander Sherbrooke and Iakov Taranenko, shared their discovery of a security flaw in internet-connected washing machines with TechCrunch. This flaw allows the unrestricted use of over a million washing machines worldwide in dormitories and residential complexes. The error remained unpatched for many months despite reporting the issue to CSC ServiceWorks, the company responsible for the machine's operation. The company ignored requests to fix it.

What was the security flaw in the internet-connected washing machines?

The students discovered that the CSC Go app's API could remotely send commands to the washing machines and manipulate the user’s account balance without adding money. This allowed them to start a wash cycle for free and simulate having millions of pounds in their app account. CSC ServiceWorks, as the service provider, did not correctly check the security on their servers, constituting a severe failure to protect against unauthorised access. Despite attempts to contact and report the issue, the company did not respond to calls to fix the bug.

Unanswered, but hopeful for improvement

Despite no response from CSC ServiceWorks, the students remain hopeful that their discovery will help improve security. They express an understanding of the potential threats posed by the vulnerability of such devices to internet attacks. However, they stress that providers of such technologies should approach the security of their services with greater responsibility. The attitude of the young researchers shows that their commitment to security research has a benevolent goal. It also demonstrates their openness to collaborating with companies to eliminate similar flaws.

With this situation, CSC ServiceWorks must address the reported security issues to ensure its users can use the services offered safely and fairly. This case highlights the need to improve cybersecurity practices in the consumer services sector.

Who are the young researchers who discovered the washing machine security flaw?

As mentioned, the young discoverers are students at the University of California, Santa Cruz. Alexander Sherbrooke is also the creator of the SlugSchedule app, which streamlines the class registration process at the university. The app offers quick course searches, schedule visualization, professor ratings from RateMyProfessors, and real-time tracking of available spots.

Iakov Taranenko is a co-founder of the UCSC Security Club, which organises workshops and cybersecurity competitions. His team took second out of 80 teams in the MITRE Embedded Capture the Flag (eCTF) competition, designing a secure embedded system and analysing and attacking competitors' projects. Additionally, in the NSA Codebreaker Challenge 2022, the UCSC team, including Taranenko, placed third out of 445 universities, solving tasks related to reverse engineering and cyberattack analysis.

Related content
© Daily Wrap
·

Downloading, reproduction, storage, or any other use of content available on this website—regardless of its nature and form of expression (in particular, but not limited to verbal, verbal-musical, musical, audiovisual, audio, textual, graphic, and the data and information contained therein, databases and the data contained therein) and its form (e.g., literary, journalistic, scientific, cartographic, computer programs, visual arts, photographic)—requires prior and explicit consent from Wirtualna Polska Media Spółka Akcyjna, headquartered in Warsaw, the owner of this website, regardless of the method of exploration and the technique used (manual or automated, including the use of machine learning or artificial intelligence programs). The above restriction does not apply solely to facilitate their search by internet search engines and uses within contractual relations or permitted use as specified by applicable law.Detailed information regarding this notice can be found  here.