Hackers can take over car washes, crush cars with people inside

Rob Waugh

Hackers have demonstrated an attack which would allow them to take over a ‘smart’ car wash – then remote-control it to crush the cars inside.

Speaking at the Black Hat hacker conference in Las Vegas, Billy Rios, founder of security shop Whitescope said, "We think this is the first exploit that causes a connected device to attack someone.

"We’ve written an exploit to cause a car wash system to physically attack; it will strike anyone in the car wash. Car washes are really just industrial control systems.’

The hackers showed off that Laserwash car installations were vulnerable to an attack via the internet – because the machines can be connected so owners can keep an eye of them.

The hackers found that all they needed to do was enter a default password – 12345 – and they could take full control.

The hackers were able to bypass safety sensors, they said.

Rios said, ‘We controlled all the machinery inside the car wash and could shut down the safety systems. You could set the roller arms to come down much lower and crush the top of the car, provided there was not mechanical barriers in place.’

White Scope security said they had attempted to warn the company who made Laserwash systems two years ago – but they only got a response once they listed the hack as a speech at the Black Hat conference.

PDQ said in a statement, ‘We are aware of the presentation at Black Hat USA 2017, and are diligently working on investigating and remediating these issues.’