Killer car washes

CERT-LatestNews Security News ThreatsCybercrime Uncategorized

CarwashI’ve just been listening to an interview held at the recent Black Hat Conference in Las Vegas with Billy Rios, the CEO of Whitescope. Rios talks about the possibility of someone hacking into a carwash, for example, and taking it over to use it to attack people. Sounds rather like something that Stephen King might write.

Publicly available machinery such as carwashes are designed with a lot of safeguards built in so that they don’t, for example, slam the door down on a car entering the wash, or hit it with the overhead arms. Now, assuming the carwash is connected to the internet, it probably wouldn’t be too difficult to hack into it; carwashes are not generally considered to be in the same category as banks and nuclear power stations when it comes to security requirements. Once inside, you could presumably switch off the various safeguards, assuming they are software controlled, and then proceed to do all those things which I’ve just mentioned.

While you could probably damage the car and give the occupant a nasty shock, it’s unlikely that you could use a carwash to seriously hurt somebody. Nevertheless, a prankster could cause a lot of public alarm if this were done to several car washes in succession.

I don’t know much about carwashes, but I guess that internet connectivity can be useful for remote monitoring so that a technician knows when it’s time to make a service call. However, anything connected to the internet always faces the possibility of being hacked. There are two main points of weakness. The first is that the designers of relatively benign and simple systems such as carwashes are unlikely to provide any sophisticated security measures. The second is that system access will probably be password protected, and the manufacturers will usually install the system with a simple password such as admin or 12345, with the expectation that the operators will quickly change it. However, if the operators neglect to do this, then the system is wide open to being hacked.

This is a common problem with much of the Internet of Things. Connection to the internet is convenient, but unless good security measures are in place there is always a possibility of being hacked. And until those measures are in place I would think that connecting everything to the internet just because you can may need some rethinking. Look before you leap.

Carwash software presumably consists of at least two components. One of these will be the actual system controller and the other will be the monitoring & reporting software. (There may be other components, but they aren’t relevant here.) While the monitoring & reporting software may need to be connected to the internet, the controller software does not. After all, carwash operation is always local; no-one sends their car to the carwash under remote control. So here’s a suggestion: airgap the controller software from the monitoring & reporting software so that the controller software is not connected to the internet. Certainly, this would probably make the overall system a little more complex and a little costlier, but in an installation which is expected to be in constant revenue-earning operation for at least ten years this is unlikely to be a big deal.

But what it will do is to make the carwash virtually hack-proof.