In an unexpected twist, two college students have stumbled upon a security vulnerability in the system of a global laundry service provider, CSC ServiceWorks, which could potentially allow millions of people to wash their clothes for free. The company, which boasts a network of more than a million Internet-connected washing machines in residence halls, college campuses and hotels across the United States, Canada and Europe, has yet to address the issue.
UC Santa Cruz students Alexander Sherbrooke and Iakov Taranenko discovered the flaw that allows users to remotely send commands to CSC’s washing machines, thus managing laundry cycles at no cost. Sherbrooke recounted a moment of revelation when he successfully started a laundry cycle from his laptop despite having no funds in his laundry account.
Students were also able to add a multi-million dollar balance to their laundry bill, which was reflected in their CSC Go mobile app as if it were a routine laundry expense for a student.
The vulnerability lies in the API used by CSC’s mobile app, CSC Go. The app is designed to allow customers to add funds to their account, pay and start a load of laundry on a nearby machine. Sherbrooke and Taranenko found that security checks are performed by the app on the user’s device and are automatically trusted by CSC’s servers. This flaw allows users to trick servers into thinking they have sufficient funds in their accounts, even when this is not the case.
The students attempted to alert CSC ServiceWorks of the vulnerability through several channels, including the company’s online contact form and a phone call, but received no response. They also reported their findings to Carnegie Mellon University’s CERT Coordination Center, an organization that assists security researchers in disclosing defects to affected vendors and providing fixes and guidance to the public.
Despite the lack of response from the CSC, the students remain undeterred. Taranenko expressed his disappointment at the company’s lack of recognition, stating, “I don’t understand how such a large company makes these kinds of mistakes and then has no way to contact them.” He also highlighted the potential financial loss for the company if users exploited this vulnerability to load their wallets.
While the prospect of free laundry may seem tempting, students highlighted the potential dangers of having heavy appliances connected to the Internet and vulnerable to attack. They expressed uncertainty as to whether sending commands via the API could bypass safety restrictions imposed by modern washing machines to prevent overheating and fires.
At the moment, the security flaw remains unresolved, leaving the door open for tech-savvy individuals to potentially exploit the system.
More for you: