Santa Cruz, California – Two students at the University of California, Santa Cruz discovered a security vulnerability in internet-connected commercial washing machines, potentially allowing millions of college students to do their laundry for free. Alexander Sherbrooke and Iakov Taranenko exploited an API in the machines’ app to remotely command them to work without payment and manipulate a laundry account to show a balance of millions of dollars.
The machines are owned by CSC ServiceWorks, a company with over a million laundry and vending machines in service across colleges, multi-housing communities, laundromats, and more in the US, Canada, and Europe. Despite Sherbrooke and Taranenko reporting the vulnerability to CSC, the company did not respond initially. However, after the students contacted CSC, the company quietly corrected the false balances in their accounts.
Frustrated by the lack of response from CSC, the students shared their findings, revealing that the company had a published list of commands that allowed access to all of CSC’s network-connected laundry machines. This incident highlights the ongoing security challenges posed by the Internet of Things.
The students’ discovery underscores the risks posed by lax cybersecurity practices, which not only enable free laundry but also open the door for potential hackers to access sensitive information or control smart devices. Security researchers play a crucial role in identifying and reporting these vulnerabilities before they are exploited in dangerous ways.
While some companies take swift action to address security issues, others may not respond promptly or adequately, leaving consumers at risk of exploitation. The incident with CSC ServiceWorks serves as a reminder of the importance of proactive cybersecurity measures and prompt responses to security vulnerabilities in IoT devices.