Security researchers at UC Santa Cruz, Alexander Sherbrooke and Iakov Taranenko, discovered a security flaw in the API of the CSC Go mobile app, which allows users to remotely operate laundry machines run by CSC ServiceWorks. The vulnerability enables anyone to send commands to the laundry machines and operate laundry cycles for free. Despite reporting the flaw to CSC ServiceWorks earlier this year, the company has failed to fix the issue.
Sherbrooke and Taranenko stumbled upon the vulnerability while sitting in their basement laundry room. Sherbrooke ran a script of code instructing a laundry machine to start a cycle despite having no funds in his laundry account. The machine immediately started washing a load of laundry for free. They even added several million dollars to one of their laundry accounts, which reflected as a normal balance in the CSC Go app.
CSC ServiceWorks is a large laundry service company with over a million laundry machines installed worldwide. The students attempted to contact the company through its online contact form and via phone, but received no response. They also reported their findings to the CERT Coordination Center at Carnegie Mellon University.
The vulnerability lies in the API used by CSC’s mobile app. The app allows users to top up their accounts, pay, and start laundry loads on nearby machines. The researchers discovered that CSC’s servers can be deceived into accepting commands that modify account balances because the app’s security checks are automatically trusted by the servers. This allows users to pay for laundry without adding real funds to their accounts.
Sherbrooke and Taranenko analyzed network traffic while using the CSC Go app and found they could bypass the app’s security checks and send commands directly to CSC’s servers. They believe that potentially anyone can create a CSC Go account and use the API to send commands because the servers do not check if new users own their email addresses. With access to the API and CSC’s list of commands, it is possible to locate and interact with every laundry machine on CSC’s network.
While free laundry may seem appealing, the researchers emphasized the potential dangers of having internet-connected laundry machines vulnerable to attacks. They were unsure if sending commands through the API can bypass safety restrictions that prevent overheating and fires. Additionally, someone still needs to physically push the start button on the machine for a cycle to begin.
CSC ServiceWorks wiped out the researchers’ account balance after they reported their findings, but the bug remains unfixed, allowing users to give themselves any amount of money. The lack of response from CSC disappointed the researchers, who believe the company should have a monitored security email inbox for such situations.
Despite CSC’s inaction, Sherbrooke and Taranenko remain committed to their research and are willing to spend time addressing the company’s security issues. They find it exciting to conduct real-world security research rather than simulated competitions.
