Students uncover security bug that could let millions do laundry for free (opens in new tab)

(techcrunch.com)

20 pointssigned01y ago9 comments

9 comments

Schools are likely the ones losing money here. They probably pay CSC a fee for their service and CSC is like a broker. CSC may be losing some money if they take a portion of the laundry usage.

bman12three41y ago

I did something similar when I was tired of going down to the laundry room in my apartment building only to see that the “empty” dryers still had people’s clothes in them. I figured out how the API worked by using a proxy and built a system to show me which dryers had been finished the longest. Then if I came down and there were still clothes in them, I wouldn’t feel guilty about removing them.

The thought did occur to me to see what happens when I add money to my account, but I didn’t end up trying. There are no API keys or authentication or anything. The only thing you need is a location code which is trivial to get from a proxy.

johann83841y ago

Does "only having client side validation" really count as a bug? It wasn't really an oops, it was just really poorly designed.

firesteelrain1y ago

Poor design can be a defect

paulpauper1y ago

Since CSC ServiceWorks does not have a dedicated security page for reporting security vulnerabilities, Sherbrooke and Taranenko sent the company several messages through its online contact form in January but heard nothing back from the company. A phone call to the company landed them nowhere either, they said.

I imagine it is a low priority. How often does someone try to hack a laundromat?

justin_oaks1y ago

Not often, but the problem with poor security is that it is vulnerable to the "smart cow" problem.

The whole herd will stay in the fence until a smart cow opens the gate. Then the whole herd gets out.

Once a security vulnerability is found, someone will inevitably write a script, hacking tool, or modified app to abuse the vulnerability. Then everyone can use that tool to exploit the vulnerability.

RulerOf1y ago

I wonder if they tried jumping into the sales funnel.

FrogToenails1y ago

Bit of a surprise seeing this article today. A little while back I was made aware of some interesting business practices from the entrepreneur Alex Hawkinson[1], probably best known for being the founder and CEO of Physical Graph; later rebranded to “SmartThings” and sold to Samsung.

Being the co-founder and CEO of SmartThings, Alex clearly has an understanding for the IoT space at large. It would make sense then that when CSC ServiceWorks wanted to “modernize” their fleet of washers and dryers that they would pull Alex in to help guide them - providing him with a seat on their board[2]. CSC ServiceWorks is a company that knows how to run laundromats - not a tech company. To avoid having to hire employees and manage the software for a fleet of IoT washers and dryers, CSC ServiceWorks instead contracts a small startup company called BrightAI to develop this IoT solution for them[3@44:30]. Interestingly, Alex is also the founder and CEO of BrightAI[4].

BrightAI CTO, Robert Parker[4], also has a history of dismissing security concerns in IoT, inferring that traditional security practices could be replaced with AI [5@34:30].

The two students here seemed to do everything “right”, from adhering to a disclosure period and even going as far as reporting the issue to the CERT Coordination Center at Carnegie Mellon University. Carnegie Mellon would not have needed to go far to report this to the appropriate parties, given that Alex holds an advisory role at the university[1].

The original reason I went down this whole rabbit hole was after someone tipped me off to how Alex structures these business relationships - I won’t go into this now as it isn’t relevant for this, but maybe someday I’ll get all the thoughts together in a consumable format.

As a little bit of an unrelated "fun fact", according to LinkedIn, a handful of the engineers from OceanGate now work for Alex at BrightAI

[1]: https://www.crunchbase.com/person/alex-hawkinson

[2]: https://www.cscsw.com/press-release/iot-thought-leader-alex-...

[3]: https://staceyoniot.com/podcast-speed-queens-and-matter-drea...

[4]: https://www.bright.ai/company

[5]: https://appliedai.buzzsprout.com/1101152/10528308-building-i...

justin_oaks1y ago

I once worked for a company with a security-related product. Security was not a high priority at that company. The software developers had no security training. The process for improving security was basically "fix something when it would avoid bad PR".

If that's the way it can be at a company selling security products, I can only assume it's worse at other companies.

The old "trust the client, no validation on the server" is completely pathetic. It indicates nobody even tried to make the system secure at CSC.

j / k navigate · click thread line to collapse

9 comments

firesteelrain1y ago

Schools are likely the ones losing money here. They probably pay CSC a fee for their service and CSC is like a broker. CSC may be losing some money if they take a portion of the laundry usage.

bman12three41y ago

johann83841y ago

Does "only having client side validation" really count as a bug? It wasn't really an oops, it was just really poorly designed.

firesteelrain1y ago

Poor design can be a defect

paulpauper1y ago

I imagine it is a low priority. How often does someone try to hack a laundromat?

justin_oaks1y ago

Not often, but the problem with poor security is that it is vulnerable to the "smart cow" problem.

The whole herd will stay in the fence until a smart cow opens the gate. Then the whole herd gets out.

Once a security vulnerability is found, someone will inevitably write a script, hacking tool, or modified app to abuse the vulnerability. Then everyone can use that tool to exploit the vulnerability.

RulerOf1y ago

I wonder if they tried jumping into the sales funnel.

FrogToenails1y ago

BrightAI CTO, Robert Parker[4], also has a history of dismissing security concerns in IoT, inferring that traditional security practices could be replaced with AI [5@34:30].

As a little bit of an unrelated "fun fact", according to LinkedIn, a handful of the engineers from OceanGate now work for Alex at BrightAI

[1]: https://www.crunchbase.com/person/alex-hawkinson

[2]: https://www.cscsw.com/press-release/iot-thought-leader-alex-...

[3]: https://staceyoniot.com/podcast-speed-queens-and-matter-drea...

[4]: https://www.bright.ai/company

[5]: https://appliedai.buzzsprout.com/1101152/10528308-building-i...

justin_oaks1y ago

If that's the way it can be at a company selling security products, I can only assume it's worse at other companies.

The old "trust the client, no validation on the server" is completely pathetic. It indicates nobody even tried to make the system secure at CSC.

j / k navigate · click thread line to collapse