A group of computer security experts found that computers powering carwashes have actually been found publicly available on the internet using simple passwords.
From the Guardian (Article)
“However, there was no need to find and exploit old WinCE holes to remotely break into one of these bad boys. Once the infosec duo had found a suitable car wash connected to the web, the researchers found that the default password – 12345 – just worked. Once logged in from their browser, they were given full control of the system.
From there, they could prod the web app into doing things it really shouldn’t.”
““Car washes are really just industrial control systems. The attitudes of ICS are still in there,” Rios said. “We’ve written an exploit to cause a car wash system to physically attack; it will strike anyone in the car wash. We think this is the first exploit that causes a connected device to attack someone.”
In their talk the pair showed how they managed to bypass the safety sensors on the car wash doors to close them on a car entering the washer. Butts told The Register that much more destructive hacks were possible.
“We controlled all the machinery inside the car wash and could shut down the safety systems,” he said. “You could set the roller arms to come down much lower and crush the top of the car, provided there was not mechanical barriers in place.”
”
More at the Guardian (Article)
