This vulnerability allows anyone to bypass the CSC ServiceWorks laundry payment system and use the machines for free! This potentially affects more than a million machines in residences and university campuses around the world. Despite repeated warnings from the students, CSC ServiceWorks has yet to take action to fix this defect.
The dangers of using washing machines
It all started last January, when Alexander Sherbrooke, then in the laundry room of his basement, was experimenting with his laptop and a code script. He quickly realized that he could start a wash cycle without having any credit in his account. Within seconds, the machine beeped and displayed “PUSH START”, indicating that it was ready to operate without payment.
The two students were also able to simulate a million dollar balance in their laundry account via the CSC Go mobile app, a “normal” amount for the app. This manipulation was made possible by a flaw in the application’s API (programming interface), which allows users to trick CSC ServiceWorks servers.
Sherbrooke and Taranenko tried to contact CSC ServiceWorks several times using the company’s online contact form and also by phone, without success. After alerting the CERT Coordination Center at Carnegie Mellon University, an organization that helps security researchers disclose flaws to affected companies and provide fixes to the public.
The students waited more than three months, exceeding the usual period before public disclosure, but received no response from CSC ServiceWorks. Finally, they presented their findings at a meeting of their university cyber security club in early May.
The security flaw discovered by Sherbrooke and Taranenko is in the way the CSC Go application communicates with the company’s servers. Normally, the app allows users to top up their account, pay and start a washing machine nearby. However, security checks are performed by the app on the user’s device and not by CSC’s servers, making it possible to manipulate account balances.
The researchers found that by analyzing network traffic while using the app, they could bypass these checks and send commands directly to CSC’s servers, which would accept them without additional validation. This allows anyone to create a CSC Go user account and manipulate connected washing machines, without the servers checking the new user’s email address.
Both students highlighted the potential dangers of this flaw. If someone can manipulate the washing machine controls, there is a risk that the integrated safety mechanisms to prevent overheating and fire will be bypassed. However, to start a washing cycle, you must always physically press the start button of the machine, which partially limits the risk of abuse.
Despite CSC quietly removing the multi-million dollar balance in their account, the flaw remains unpatched. Taranenko expresses his disappointment at the company’s inaction: ” I don’t understand how such a big company can make such mistakes and not have a way to contact them. »
🟣 To not miss any news on the Journal du Geek, subscribe to Google News. And if you love us, we will a newsletter every morning.