/cdn.vox-cdn.com/uploads/chorus_asset/file/23249791/VRG_ILLO_STK001_carlo_cadenas_cybersecurity_virus.jpg?w=932&resize=932,640&ssl=1)
A security breach could allow millions of college students to do laundry for free, thanks to one company. This is due to a vulnerability that two students at the University of California, Santa Cruz found in Internet-connected washing machines in commercial use in several countries, according to TechCrunch.
The two students, Alexander Sherbrooke and Iakov Taranenko, apparently exploited an API in the machines’ application to do things like remotely command them to work without pay and update a laundry bill to show that there were millions of dollars in it. The company that owns the machines, CSC ServiceWorks, claims to have more than a million washing machines and vending machines in service at colleges, multi-housing communities, laundry facilities and more across the US, Canada and Europe.
CSC never responded when Sherbrooke and Taranenko reported the vulnerability via email and phone call in January. TechCrunch he writes. Despite this, the students told the outlet that the company “quietly eliminated” their fake millions after they contacted it.
The lack of response led them to tell others about their findings. This includes that the company has a published list of commandsthat the two told TechCrunch allows connection to all CSC networked washing machines. CSC ServiceWorks did not immediately respond to On the edge’s request for comment.
The CSC vulnerability is a good reminder that the security situation in the Internet of Things is not yet resolved. From the exploit the students uncovered, perhaps CSC assumed the risk, but in other cases, lax cybersecurity practices have made it possible for hackers or contractors to view strangers’ security camera footage or gain access to smart outlets.
Often, security researchers find these security flaws and report them before they can be exploited in the wild. But that doesn’t help if the company responsible for them doesn’t respond.
