A vulnerability in the CSC ServiceWorks laundry system has raised many questions for the company's security team.
Alexander Sherbrooke and Yakov Taranenko, students at the University of California at Santa Cruz, identified a dangerous vulnerability in the laundry payment system of CSC ServiceWorks, which allows anyone to use the machines for free. Despite repeated requests from students to the company, the problem has not yet been resolved. This was reported by the publication TechCrunch, which students told about the situation.
In January, Sherbrooke was sitting on the laundry room floor with his laptop when he suddenly realized the scale of the problem. He ran a script that told the machine to start washing, even though he had $0 in his account. The machine immediately reacted by emitting a loud beep and displaying its readiness for washing (all that remains is to click on "START"). In another case, students added several million dollars to one of their accounts in the CSC Go mobile app.
CSC ServiceWorks operates more than a million laundromats in hotels, universities, and residential complexes worldwide. However, the company does not have a dedicated page for reporting vulnerabilities, and students sent messages through the feedback form on the site. They also called the company, but all attempts to contact CSC were unsuccessful.
The students submitted their findings to the CERT Coordination Center at Carnegie Mellon University, which helps researchers report vulnerabilities and suggests solutions. However, more than 3 months have passed, and the problem remains unresolved. The research was presented at the University's Cybersecurity Club meeting in early May.
It is also noted that the company has a published list of commands that allows you to connect to all CSC washing machines connected to the network.
It's unclear who is responsible for cybersecurity at CSC, and company representatives did not respond to TechCrunch's inquiries. The vulnerability is related to the API of the CSC Go mobile app, which allows users to top up their accounts and start laundry. Students found that CSC servers can be tricked by sending commands that change the account balance, because security checks are performed on the user's device, not on the server.
After analyzing the network traffic, students were able to bypass the app's security checks and send commands directly to the CSC servers, which allowed them to run laundry without adding real money to their account. In addition, CSC servers do not check whether the new account belongs to a real person, which allows you to create fake accounts.
Researchers warn that such a vulnerability can lead to serious consequences, especially if attackers gain access to heavy equipment connected to the Internet. Although you need to physically press a button on the machine to start the washing cycle, you can reset the settings.
After the vulnerability was reported, CSC canceled the balance of students ' accounts, but did not fix the problem itself. Taranenko expressed disappointment that the company ignored their warnings.
"I am surprised that such a large company makes such mistakes and does not have a way to communicate about security issues. In the worst case scenario, people will be able to add large amounts of money to their accounts, and the company will lose a lot of money. Why not create at least one mailbox for such messages?", - said Taranenko.
Students said that despite the lack of response from CSC, they are not losing their enthusiasm and are ready to wait for the support service to respond.
Alexander Sherbrooke and Yakov Taranenko, students at the University of California at Santa Cruz, identified a dangerous vulnerability in the laundry payment system of CSC ServiceWorks, which allows anyone to use the machines for free. Despite repeated requests from students to the company, the problem has not yet been resolved. This was reported by the publication TechCrunch, which students told about the situation.
In January, Sherbrooke was sitting on the laundry room floor with his laptop when he suddenly realized the scale of the problem. He ran a script that told the machine to start washing, even though he had $0 in his account. The machine immediately reacted by emitting a loud beep and displaying its readiness for washing (all that remains is to click on "START"). In another case, students added several million dollars to one of their accounts in the CSC Go mobile app.
CSC ServiceWorks operates more than a million laundromats in hotels, universities, and residential complexes worldwide. However, the company does not have a dedicated page for reporting vulnerabilities, and students sent messages through the feedback form on the site. They also called the company, but all attempts to contact CSC were unsuccessful.
The students submitted their findings to the CERT Coordination Center at Carnegie Mellon University, which helps researchers report vulnerabilities and suggests solutions. However, more than 3 months have passed, and the problem remains unresolved. The research was presented at the University's Cybersecurity Club meeting in early May.
It is also noted that the company has a published list of commands that allows you to connect to all CSC washing machines connected to the network.
It's unclear who is responsible for cybersecurity at CSC, and company representatives did not respond to TechCrunch's inquiries. The vulnerability is related to the API of the CSC Go mobile app, which allows users to top up their accounts and start laundry. Students found that CSC servers can be tricked by sending commands that change the account balance, because security checks are performed on the user's device, not on the server.
After analyzing the network traffic, students were able to bypass the app's security checks and send commands directly to the CSC servers, which allowed them to run laundry without adding real money to their account. In addition, CSC servers do not check whether the new account belongs to a real person, which allows you to create fake accounts.
Researchers warn that such a vulnerability can lead to serious consequences, especially if attackers gain access to heavy equipment connected to the Internet. Although you need to physically press a button on the machine to start the washing cycle, you can reset the settings.
After the vulnerability was reported, CSC canceled the balance of students ' accounts, but did not fix the problem itself. Taranenko expressed disappointment that the company ignored their warnings.
"I am surprised that such a large company makes such mistakes and does not have a way to communicate about security issues. In the worst case scenario, people will be able to add large amounts of money to their accounts, and the company will lose a lot of money. Why not create at least one mailbox for such messages?", - said Taranenko.
Students said that despite the lack of response from CSC, they are not losing their enthusiasm and are ready to wait for the support service to respond.
