May 18, 2024 21:00:00

College student discovers security bug in laundry service that lets millions do their laundry for free

CSC ServiceWorks , which provides internet-connected laundry services to homes and college campuses around the world, has been accused of a security bug in its service that could allow anyone to circumvent laundry fees. The existence of the bug was reported to CSC ServiceWorks in early 2024, but the company has neglected to fix the bug, and the bug remains unfixed at the time of writing.

Two Santa Cruz students uncover security bug that could let millions do their laundry for free | TechCrunch
https://techcrunch.com/2024/05/17/csc-serviceworks-free-laundry-million-machines/

CSC ServiceWorks is a major laundry service company with a network of over one million washing machines installed in hotels, universities, and homes in the United States, Canada, and Europe. Alexander Sherbrooke and Yakov Taranenko, students at the University of California, Santa Cruz, have discovered a bug in the laundry service of CSC ServiceWorks. By exploiting this bug, anyone can remotely send commands to CSC ServiceWorks washing machines and operate them for free.

According to Sherbrooke and Taranenko, the bug exists in an API that allows CSC GO , the mobile app used to access CSC ServiceWorks' laundry services, to communicate with washing machines over the internet. By analyzing network traffic while using the CSC GO app, they found a bug that could allow security checks in the app to be circumvented and commands to be sent directly to the server that are not available to the app itself.

According to Sherbrooke and others, the CSC GO app performs security checks on the app on the device, and the server side just automatically trusts it, so it seems that it is easy to trick the server side into sending commands that change the account balance.

By exploiting this bug, Sherbrooke was able to create code that could run a washing machine even if the balance of the CSC ServiceWorks laundry service account was zero. In addition, the same bug was used to fraudulently add funds to the CSC ServiceWorks laundry service account.

Sherbrooke and Taranenko tried to report the bug to CSC ServiceWorks, but the company did not have a page for reporting security vulnerabilities, so they ended up contacting CSC ServiceWorks about the bug several times through the company's online contact form. However, since they received no response from CSC ServiceWorks, the two tried to call CSC ServiceWorks directly to report the bug, but this call also did not go through. Therefore, Sherbrooke and Taranenko ultimately reported the bug to CSC ServiceWorks via Carnegie Mellon University's

CERT Coordination Center . However, at the time of writing, CSC ServiceWorks had not fixed the bug in question.

According to Sherbrooke, the CSC ServiceWorks server does not even check whether the email address of a new user is already in use. Therefore, potentially anyone can create a CSC GO user account and send commands using the API. In fact, Sherbrooke and his colleagues have created new CSC GO accounts using fictitious email addresses.

'I don't understand why such a big company would make such a mistake and not provide a way to contact them about the problem,' Taranenko said. 'The worst-case scenario is that the company would suffer huge losses due to unauthorized replenishment of funds in the account. I would recommend setting up a security email reception desk for this kind of situation, at a minimum cost.'

The biggest obstacle to using the bug to do free laundry using CSC ServiceWorks' laundry service is that you have to physically press the power button on the washing machine.