Two research students at the University of California at Santa Cruz, Alexander Sherbrooke and Yakov Taranenko, discovered a vulnerability in the CSC GO Laundry mobile service of the CSC ServiceWorks laundry network, which allows you to use washing machines for free an unlimited number of times.
Users who want to use laundry services should install the CSC Go app on their smartphone, top up their balance, and only then can they start the washing cycle on the CSC ServiceWork washing machine. This company has been offering laundry services in residential buildings, hotels, and college campuses in the United States, Canada, and Europe for more than 90 years.
It all started in January of this year, when Sherbrooke was sitting in the basement laundry room with his laptop in the early hours of the morning. With no funds in the account, he tried to run a script that allowed the washing machine to remotely activate a new washing cycle, and it worked. The machine immediately woke up with a loud beep and the message "PRESS START" appeared on the display, indicating that the machine is ready for free laundry.
In addition, students were able to use the script to change the balance of up to one million dollars to one of their accounts in the CSC Mobile Go app. Moreover, the system did not have any restrictions on this balance, as if this is a completely normal amount of money that a student can spend on laundry.
According to the students, CSC ServiceWorks still ignores the existence of this vulnerability and rejects requests for the need to fix it. In early January, students tried to contact CSC ServiceWorks through several channels, such as sending several messages via an online feedback form and making a phone call that went unanswered.
It turned out that CSC ServiceWorks does not have a special page on the site where you can report security vulnerabilities. Although CSC ServiceWorks did not respond to the research students, it took the incident into account and deleted the million-dollar account balance after the students reported their discovery.
According to the researchers, the vulnerability is still not fixed, and they can add any amount of money to their balance. It is not known whether anyone at CSC ServiceWorks is working to fix this issue internally.
According to the students, this vulnerability exists in the API used by the mobile app, which helps devices and apps communicate with each other over the Internet. They found that they can send the necessary commands (replenishment of the balance, activation of the washing machine) through a script directly to the CSC servers, bypassing the security checks of the mobile application.
The researchers said that potentially anyone can create a CSC Go user account and send commands using the API, since the servers also do not check whether new users belong to their email addresses. Students tested this by creating a new CSC account with a fictitious email address.
Student researchers told the media that this vulnerability allows you to find and interact with almost "every washing machine on the network connected to CSC ServiceWorks", using direct access to the API and a publicly available list of server commands published earlier by the company in the public domain.
Security researchers usually wait three months before releasing their findings on vulnerabilities. The students said they waited longer, but the company didn't respond. Students submitted the incident report to the CERT Coordination Center at Carnegie Mellon University, which provides recommendations and helps security researchers transmit bug data and disclose vulnerabilities in collaboration with the security departments of companies where the problem was discovered.
From a practical point of view, free laundry has an obvious advantage. But the researchers emphasized the potential danger of having powerful home appliances connected to the Internet and vulnerable to attacks. Sherbrooke and Taranenko said they don't know if sending commands via the API can circumvent the security restrictions that modern washing machines are equipped with to prevent overheating and fires. The researchers said that someone will have to physically press the start button of the washing machine to start the cycle; until then, the settings on the front panel of the washing machine cannot be changed unless someone restarts the machine.
Taranenko told the media that he was disappointed that CSC did not recognize their vulnerability. "I just don't understand how such a large company makes such mistakes, and then has no way to contact them. In the worst case scenario, people can easily top up their wallets, and the company will lose a lot of money. Why not spend at least one controlled email mailbox for this kind of situation," the student told the media.
But researchers are not intimidated by the lack of a response from CSC. "Since we do this in good faith, I don't mind spending a few hours waiting for a call to the support service, if it helps the company solve security problems," Taranenko said, adding that he will continue to be interested in being able to conduct this kind of security research in the real world, and not just in simulators.
Users who want to use laundry services should install the CSC Go app on their smartphone, top up their balance, and only then can they start the washing cycle on the CSC ServiceWork washing machine. This company has been offering laundry services in residential buildings, hotels, and college campuses in the United States, Canada, and Europe for more than 90 years.
It all started in January of this year, when Sherbrooke was sitting in the basement laundry room with his laptop in the early hours of the morning. With no funds in the account, he tried to run a script that allowed the washing machine to remotely activate a new washing cycle, and it worked. The machine immediately woke up with a loud beep and the message "PRESS START" appeared on the display, indicating that the machine is ready for free laundry.
In addition, students were able to use the script to change the balance of up to one million dollars to one of their accounts in the CSC Mobile Go app. Moreover, the system did not have any restrictions on this balance, as if this is a completely normal amount of money that a student can spend on laundry.
According to the students, CSC ServiceWorks still ignores the existence of this vulnerability and rejects requests for the need to fix it. In early January, students tried to contact CSC ServiceWorks through several channels, such as sending several messages via an online feedback form and making a phone call that went unanswered.
It turned out that CSC ServiceWorks does not have a special page on the site where you can report security vulnerabilities. Although CSC ServiceWorks did not respond to the research students, it took the incident into account and deleted the million-dollar account balance after the students reported their discovery.
According to the researchers, the vulnerability is still not fixed, and they can add any amount of money to their balance. It is not known whether anyone at CSC ServiceWorks is working to fix this issue internally.
According to the students, this vulnerability exists in the API used by the mobile app, which helps devices and apps communicate with each other over the Internet. They found that they can send the necessary commands (replenishment of the balance, activation of the washing machine) through a script directly to the CSC servers, bypassing the security checks of the mobile application.
The researchers said that potentially anyone can create a CSC Go user account and send commands using the API, since the servers also do not check whether new users belong to their email addresses. Students tested this by creating a new CSC account with a fictitious email address.
Student researchers told the media that this vulnerability allows you to find and interact with almost "every washing machine on the network connected to CSC ServiceWorks", using direct access to the API and a publicly available list of server commands published earlier by the company in the public domain.
Security researchers usually wait three months before releasing their findings on vulnerabilities. The students said they waited longer, but the company didn't respond. Students submitted the incident report to the CERT Coordination Center at Carnegie Mellon University, which provides recommendations and helps security researchers transmit bug data and disclose vulnerabilities in collaboration with the security departments of companies where the problem was discovered.
From a practical point of view, free laundry has an obvious advantage. But the researchers emphasized the potential danger of having powerful home appliances connected to the Internet and vulnerable to attacks. Sherbrooke and Taranenko said they don't know if sending commands via the API can circumvent the security restrictions that modern washing machines are equipped with to prevent overheating and fires. The researchers said that someone will have to physically press the start button of the washing machine to start the cycle; until then, the settings on the front panel of the washing machine cannot be changed unless someone restarts the machine.
Taranenko told the media that he was disappointed that CSC did not recognize their vulnerability. "I just don't understand how such a large company makes such mistakes, and then has no way to contact them. In the worst case scenario, people can easily top up their wallets, and the company will lose a lot of money. Why not spend at least one controlled email mailbox for this kind of situation," the student told the media.
But researchers are not intimidated by the lack of a response from CSC. "Since we do this in good faith, I don't mind spending a few hours waiting for a call to the support service, if it helps the company solve security problems," Taranenko said, adding that he will continue to be interested in being able to conduct this kind of security research in the real world, and not just in simulators.
