A pair of university students say they found and reported earlier this year a security flaw that allows anyone to avoid paying for laundry services provided by more than a million internet-connected laundromats in residences and college campuses around the world.
Months later, the vulnerability remains open after the vendor, CSC ServiceWorks, ignored repeated requests to fix the flaw.
UC Santa Cruz students Alexander Sherbrooke and Iakov Taranenko told TechCrunch that the vulnerability they discovered allows anyone to send remote commands to washing machines operated by CSC and run free laundry cycles.
Sherbrooke said he was sitting on the floor of his basement laundry room in the early hours of a morning in January with his laptop in hand and “all of a sudden he had an ‘ouch’ moment.” From his laptop, Sherbrooke ran a code script with instructions that told the machine in front of him to start a cycle, even though he had $0 in his account at the laundromat. The machine immediately woke up with a loud beep and flashed “PUSH START” on its display, indicating that the machine was ready to wash a free load of laundry.
In another instance, students added an apparent multimillion-dollar balance to one of their laundry accounts, which is reflected in CSC Go mobile app as if it was a perfectly normal amount of money for a student to spend at the laundromat.
CSC ServiceWorks is a large laundry service company, advertising a network over one million laundry machines installed in hotels, campuses and residences in the United States, Canada and Europe.
Since CSC ServiceWorks does not have a dedicated security page for reporting security vulnerabilities, Sherbrooke and Taranenko sent the company several messages through its online contact form in January, but did not hear back from the company. A call to the company got them nowhere, they said.
The students also sent their findings to the CERT Coordination Center at Carnegie Mellon University, which helps security researchers uncover flaws in affected vendors and provide fixes and guidance to the public.
The students are now revealing more about their findings after waiting longer than the usual three months security researchers typically give vendors to fix flaws before going public. The pair first revealed their research in a presentation at their university cyber security club earlier in May.
It’s unclear who, if anyone, is responsible for cybersecurity at CSC, and CSC representatives did not respond to TechCrunch’s requests for comment.
The student researchers said the vulnerability is in the API used by CSC’s mobile app, CSC Go. An API allows applications and devices to communicate with each other over the Internet. In this case, the customer opens the CSC Go app to top up their account with money, pay and start a laundry load at a nearby machine.
Sherbrooke and Taranenko discovered that CSC’s servers can be tricked into accepting commands that modify their account balances because any security checks are done by the app on the user’s device and automatically trusted by CSC’s servers. This allows them to pay for laundry without actually putting money into their accounts.
By analyzing network traffic while online and using the CSC Go app, Sherbrooke and Taranenko found that they could bypass the app’s security checks and send commands directly to CSC’s servers, which are not available through the app itself.
Technology vendors like CSC are ultimately responsible for making sure their servers run the right security checks, otherwise it’s akin to a bank vault protected by a guard who doesn’t bother to check who’s allowed in.
The researchers said that potentially anyone can create a CSC Go user account and send commands using the API, because the servers also don’t check whether new users have their email addresses. The researchers tested this by creating a new CSC account with a fabricated email address.
With direct API access and reference to CSC its own published list of commands for communicating with its serversthe researchers said it is possible to remotely locate and interact with “any washing machine in the connected CSC ServiceWorks network.”
Practically, free washing has an obvious advantage. However, the researchers highlighted the potential dangers of heavy-duty devices being connected to the internet and vulnerable to attack. Sherbrooke and Taranenko said they didn’t know whether sending commands through the API could bypass safety restrictions on modern washing machines to prevent overheating and fires. The researchers said that someone would have to physically press the washer’s start button to start a cycle, until then the settings on the front of the washer can’t be changed unless someone resets the washer.
CSC quietly wiped out the researchers’ multimillion-dollar account balance after they reported their findings, but the researchers said the bug remains unfixable and it’s still possible for users to “freely” give themselves any amount of money.
Taranenko said he was disappointed that CSC did not recognize their vulnerability.
“I just don’t understand how a company this big makes these kinds of mistakes, then has no way to contact them,” he said. “Worst case scenario, people can easily load their wallets and the company loses a ton of money, so why not spend the bare minimum to have a single security inbox that’s monitored for these types of situations?”
But researchers are undeterred by the lack of response from the CSC.
“Since we’re doing this in good faith, I don’t mind spending a few hours on hold to call the help desk if it would help a company with their security issues,” Taranenko said, adding that it was “fun to do this kind of safety research in the real world and not just in simulated competitions’.
