If you’ve ever felt a bit uneasy when locked inside of an automatic car wash, your fear may now be justified, as researchers have found a way to the machines.
While there’s plenty of attention focused on possible hacks with vehicles, a group of security researchers has found vulnerabilities in internet-connected, drive-through car washes. According to the researchers, hackers are able to remotely take control of car wash systems and physically attack vehicles. They can, for example, open and close the bay doors on a car wash, trapping vehicles inside, or strike them with the doors, damaging them and possibly injuring occupants inside the vehicles.
The researchers plan on discussing their findings at the Black Hat security conference in Las Vegas. The team, led by Billy Rios who is the founder of Whitescope security, has exposed numerous security flaws over the years including in drug-infusion pumps that deliver medicine to hospital patients and in building systems that control electronic door locks, alarm systems, lights, elevators, and video surveillance cameras.
Rios first became interested in the car washes after hearing from a friend about an incident that occurred years ago. His friend told him technicians misconfigured a car wash, causing the mechanical arm to strike a minivan and douse the family inside with water. Rios then focused on the PDQ LaserWash, a fully-automated, brushless, touchless car wash system that sprays water and wax through a mechanical arm that moves around the vehicle.
Earlier this year, the researchers were able to find a willing car wash in Washington that agreed to cooperate. They wrote a fully automated script that bypassed authentication, monitored when a vehicle is getting ready to exit the wash chamber, and caused the exit door to strike the vehicle at the appropriate time. This was all tested on one of the researcher’s own pickup truck. Their hack also caused the system to ignore safety sensors and they were also able to manipulate the mechanical arm to hit the vehicle or spew water continuously, which would make it difficult for an occupant to leave the vehicle.
Unfortunately, although all of this was captured on video, the car wash owner won’t allow the researchers to publish the video.