Two enterprising students from the University of California at Santa Cruz have recently uncovered a major security flaw within CSC ServiceWorks washing machines that could potentially allow for unlimited free laundry cycles. Alexander Sherbrooke and Iakov Taranenko, the intrepid duo behind this discovery, detailed their findings to TechCrunch, shedding light on how a vulnerability in the API used by CSC Go, the company’s mobile app, could be exploited by sending remote commands to the laundry machines.
The flaw in question was brought to light when Sherbrooke successfully executed a script of code instructing the machine to run a cycle despite having a balance of $0 in his account. Much to his amazement, the laundry machine sprang to life, prompting the bewildered customer to push the start button and commence the cycle. Taking their experiment a step further, the students then proceeded to inflate their laundry accounts with an exorbitant amount totaling several million dollars, all made possible by the CSC Go mobile app.
Upon discovering this vulnerability, Sherbrooke and Taranenko promptly reached out to CSC ServiceWorks to report their findings. However, their attempts to communicate with the company through the online contact form and phone calls were met with silence, leaving the students with no choice but to go public with their revelations. Despite the standard industry practice of allowing vendors three months to address security vulnerabilities, the lack of response from CSC ServiceWorks compelled the pair to disclose the issue to the broader community after an extended period of waiting.
Efforts to obtain a response from CSC ServiceWorks were fruitless, as Dark Reading’s inquiries went unanswered. In a bid to delve deeper into the technical aspects of their discovery, Sherbrooke and Taranenko authored a blog post for Slug Security, offering a more detailed account of their findings and the challenges they encountered in reporting the bug.
The students expressed their cautious approach to disclosing the vulnerability, emphasizing their desire to follow the proper protocols to avoid potential legal repercussions. Concerned about the implications of confronting a multi-million dollar company without proper documentation, they sought the assistance of Carnegie Mellon University’s CERT Coordination Center to facilitate communication with the vendor. Unfortunately, their attempts to engage with CSC ServiceWorks through CERT’s portal were met with indifference, further complicating the resolution process.
Following the disclosure of their findings, CSC ServiceWorks took action to reset the students’ inflated account balances. However, the underlying vulnerabilities in the system remain unresolved, posing a potential financial risk to the company. Taranenko highlighted the need for a more robust security protocol, suggesting the establishment of a monitored security email inbox to address similar issues promptly and efficiently.
As the students continue to advocate for improved security measures within CSC ServiceWorks’ infrastructure, the cybersecurity community awaits further developments in this ongoing saga of free, unlimited laundry cycles and the vulnerabilities that enable them. Until a comprehensive solution is implemented, the potential for exploitation and financial loss looms large, underscoring the critical importance of proactive security measures in safeguarding against such threats.