- cross-posted to:
- pulse_of_truth@infosec.pub
- cross-posted to:
- pulse_of_truth@infosec.pub
Bro don’t fucken tell the company wtf.
That’s how it works in security. It is unethical to not give the company time to react before public disclosure.
Dont disclose it. Let people who cant afford wash their clothes
That’s theft
They are likely stealing wages so who gives a shit
I think they meant that if the students hadn’t told the company, they and their classmates could have done their laundry for free.
That is still not ethical and qualifies as stealing
They charge $2.50 a load these days. They’re the ones that are stealing.
Bruh, I worked for laundry company in Ottawa. Many landlords were charging $4.50 CAD for a wash and $2.50 for a dry back in 2015. I shudder to think how high its gotten now.
Fucking shit ass garbage company. Boss was a smarmy cunt too. “Walked 10 miles up hill both ways to school” kind of prick.
Laundry is a basic service that should be easily affordable for everyone. Charging a premium for it is scummy.
Steal from landlord laundry every chance you get.
Then don’t use them. I really doubt they are making a ton off of a laundromat. If you can’t find an alternative place open your own and get a new source of income.
Just don’t be poor you fuckin’ loser
I just don’t believe in theft
serious question, are you a bit slow?
If you’re the kind of person who uses laundromats, you’re not the kind of person who can afford to open one.
Fucking it up for the rest of us
His hat is only white because he got to test this a bunch before exposing the vulnerability.
HEAR YE HEAR YE! best comment here! Hahaha
When I found a loophole for cheap Wendy’s food, I absolutely abused it a dozen times as a poor college student. It involves receipts and going to different Wendy’s.
Hey I think every white hat deserves some leniency in their Robin Hooding haha.
In this case this is fucked up. Let people wash dammit
Not the same company, but I live in apartments with washer/dryers like this. Coin op entirely removed.
You have to have a device that is bluetooth capable to use them.
Anyway pretty sure someone in this apartment has figured out something similar because the machines keep magically becoming unpaid machines after they get serviced. After each service, they will be asking for money to be able to be used for like a day or so, but then soon enough, I’ll go back to the laundry room and all the machines will be free and not asking for money. Just ready to go, no device required.
Originally, I thought it was the company disabling them due to like a data breach or something and was trying to find out if there was an undisclosed data leak and/or a class action lawsuit brewing. Since neither of those are the case, I’m pretty sure it’s a Notorious Do-Gooder.
So, thanks, Notorious Do-Gooder, for all the free washes and drys.
(Especially since this same idea crossed my mind over a year ago but I’ve just been too lazy to view the bluetooth data traffic myself)
You’re welcome, how’s the free cable too by the way?
Good, hope you’re enjoying the Internet on “Pretty_Fly_For_A_WIFI” open network
I miss my free cable and Wi-Fi in my first Boston apartment. I didn’t discover it worked until 2 months into living there (just after 9/11 actually). It went month to month when the owners sold the place and we wouldn’t have ever left if it weren’t for the shitty icebox and terrible parking in that neighborhood.
Saw a video that showed using swizzle sticks jammed into the coin slots to release the lock and get free laundry.
I had bike spokes laying around and tried it. It worked, but actually broke the coin slots. Management reconfig’d to other slots, which I then broke.
Laundry was only 25 cents if you knew which slot to put a quart into.
Around 2007 or so I used to unplug Coinstar machines from the internet (plug was usually right in back) and then put in all my coins and try to redeem an online gift card. It used to be you could only get all of your cash back via online gift cards, because the machine took out a fee to give your money back in cash.
When it couldn’t connect to the internet, it would apologize and refund me in cash, with no convenience fee (since I was clearly inconvenienced). Full amount returned.
You were supposed to use plastic coffee straws not a hard piece of metal. Turn a $1 bag of 100 straws into $25-$100 in laundry change depending on how much your reuse the straws.
Right, that’s what a swizzle stick is.
Counter point though, breaking it meant I didn’t even need straws…
Lol my b
Honestly coin machines aren’t that bad as they don’t require you to pay a internet bill and they don’t have cyber issues.
Sure it might be inconvenient but you can just have a machine that converts bills to coins like they have at car washes.
They could!
Obviously we need UBI cuz…
Capitalism. “Free” washes would increase rent. And benefit high-volume washers! Might increase lines though (wash more often with no skin in the game), pull back people who may be using laundromats as an alternative. Detrimental to low-volume washing households.
Mostly I’d say it’s an optics thing. Cost per year to exist wouldn’t change much, but clearly public opinion could.
Fun.
From the article, the linked Swagger docs : https://web.archive.org/web/20240120071238/https://mycscgo.com/api/v1/docs/static/index.html#/
And a little more detailed account : https://timesofindia.indiatimes.com/technology/tech-news/how-this-security-bug-in-washing-machines-can-help-college-students-in-the-us-do-free-laundry/articleshow/110277923.cms
It looks like these laundry machines are controlled by a mobile app, and requests are routed through The Internet™. The flaw appears to be the web service presumes a user is only able to gain access to their API endpoints via the mobile app, which only exposes certain functions to a user.
Once authorized, though, there’s no further checks like oauth scopes or even user roles, to prevent someone from doing a little bit of lateral movement to admin-style endpoints.
Lazy. The machine makers should be ashamed.
I once took over an app that worked like this. Access to one thing? Access to everything! And they had a hard coded admin password in the server code. 🤦 The client wasn’t happy when I proposed a complete rewrite. Eventually my manager begged me to stop working with them, so we did.
I (white boy) visited India in the early '90s and brought back a bunch of rolls of half-Rupee coins as souvenirs. Turns out they were the exact same weight and diameter as US quarters (even down to the number of ridges, which makes me suspect India bought a bunch of used US minting machines to make them), so I started using them at laundromats. The exchange rate at the time was 35 Rs to the dollar, so a load in the US that normally cost $1 was costing me less than 6 cents. I do feel bad for the harassment that actual Indian customers probably ended up receiving, although possibly the owners never noticed or cared.
When i used to go to france for my family holiday every year (i live in southeast england so not far) i used to take as many 2p coins as i could because they were close enough to the €2 coin to work in those insert and twist sweet/small toy machines
British coins really seem absurdly overly-beefy for the monetary value they represent. I think it’s a way of saving up metal for the next time the Germans need sorting out.
we’re not allowed guns really so the only option will be to throw our ever diminishing currency at any invaders
I used to work as a teller and we used to run magnets on every roll of quarters that came in from laundry mats and car washes. While the weight is correct, American coins are never magnetic. Every single time it’s the laundry mats that foot the bill.
I used to go to a laundromat that used something like a smartcard to keep your balance. You’d refill it at the kiosk and swipe it at the washer/dryer.
I had a reader/writer around somewhere from a few years prior, when I was messing around with old Echostar boxes.
Wish I could have found it. Those machines didn’t look to be connected to anything. I didn’t see any wireless networks in the area and the equipment didn’t have any data lines.
I’m almost willing to bet the balance was stored as an value on the card and gets read/rewritten with every swipe, and essentially just security-through-obscurity. Meaning I could either back up and rewrite a $20 card forever, or rewrite the balance to having FF credits or whatever.
It could be simply obscure like you say, but the absence of a network doesn’t guarantee it’s that easy to hack.
They could use a checksum and your trick would invalidate the card until you figured out the correct algorithm, which would require a new visit to the laundromat for every new attempt, so basically impractical.
That or the card is just simply encrypted, which would make it impossible to interpret. It would be easy to implement too because the shared secret is between machines that are all physically controlled by the laundromat.
If there’s no central control or ledger, couldn’t you just rewrite the card with the original values and the machines wouldn’t know any difference?
Oh yeah, that’s true, so you wouldn’t have destroyed the card, but it’s not a useful hack if they’ve done even the most basic security measures.
That said, I would be fascinated to know what was on that card. I’d give it pretty good odds of having absolutely no security measures whatsoever.
you could add a random number to the encrypted data on the card and require it to always be the same or larger than the last time that card was seen, and then increment it every time the card is used.
The problem with that is that if the machines don’t talk to one another then there’s no way to make that system work across machines. I guess if each machine enforced it then you would eventually run out of machines that work for your hacked card.
You could store a counter for every machine used on the card, realistically, given few Laundromats would have over 50 or so machines. That’d mean that as you say, restoring the cards initial state would break it for every machine you previously used.
Going way too far now for what would make sense for a Laundromat, but just to entertain the idea…
You could also use an OTP encryption scheme on the card, where the exchange encryption key is based on the laundry machine ID, card ID, and a current timestamp, and thus changes every time the card is used. It would then be quite hard to “restore” the initial state of the card without having the laundry machine’s hidden ID. Everything you read off the card would be useless a second later.
A simple encryption key would make the most sense. It wouldn’t even need to be that complex. All you would need is a way to verify the card and then another one that represents the number. You probably could just use some primes.
Meaning I could either back up and rewrite a $20 card forever, or rewrite the balance to having FF credits or whatever.
As you can guess, checksum is stored somewhere. And that somewhere happens to be card that was just dumped.
Yeah, but you’d need the algorithm. It could be a hash of some kind, and if you don’t know what kind of algorithm they’re using you can’t replicate it.
EDIT: Oh, I see what you’re saying. You mean you could simply rewrite the original card value back over it forever. That’s actually quite clever, and it would work even in case the card was completely encrypted.
Actually that means this is trivial to beat I think.
I mean how many people are gonna be walking around with card rw
Well that’s the thing, you don’t need a lot. You’re handing out these cards and people walk out the door with them, so you can’t trust they’re not going to mess with them. They don’t need to be walking around with a writer, you need one person to have access - either own one or have one at work or a university lab - and they can make as many cards as they want to give to their friends. Then they could use your business for years and get thousands of dollars of free service without you ever knowing.
That’s the real threat here I think - a poor university student with a technical degree challenging themselves to cheat the system and help out their friends. I mean it’s probably not going to happen, but a business owner who’s aware of this attack vector could spend the time to get a basic encryption system going that’s practically unbreakable.
Might be unbreakable, but all the attacker has to do is put money on it once and then just duplicate the card. You don’t need to beat the encryption. You just need to make the machine think the card is legit
Yup, I’ve realised that’s what people are saying. That’s not an easy one to guard against I’m afraid.
I just re-read the comment chain and saw it was mentioned before. Oops lol
No worries I’ve been in this thread a bunch and only just got it.
There also is a point of cost. They aren’t going to spend a bunch of money securing a laundromat. If they spend a bunch of money left and right your laundry fees would be pricy. Not to mention a laundryman isn’t exactly a high profit business.
I agree with the first part of your comment, but laundromats are absolutely a high profit business.
source: family friend owns a bunch of them, every single one was net profitable inside of a few months and they are now basically pure profit month over month. They make more money than I ever have from a single software development job, even at my peak, and they largely just farm maintenance out and pay some labor.
Yeah, laundromats are hard to beat, because your only real operating costs are bills and maintenance on the machines.
how much would it be get a reader? What skills would I need to keep resetting the amount?
Here’s a reminder that most washing machines use a universal key, which you can buy online for like $5. You can just pop it open and hit the little “coin inserted” switch to make it think you paid.
Just hope they don’t have cameras.
Steal those too
Are you sure the key is universal? I dont need the make and model?
I mean, the owner can choose to re-key it. But there are only a few manufacturers for them. Most laundromats use Speed Queen machines, for instance. And the manufacturer ships them with a single universal key, so the owner isn’t left juggling like forty different keys for a single laundromat. If every machine had a unique key, the owners would need to have a bunch of different keys just to service everything at the end of the day.
God forbid
But have you thought about the owner?
They have yacht expenses!
I’m pretty sure a laundromat is not a high profit business. I’d imagine the money is fairly tight.
The laundromats in my area are run by immigrants and their family. So it was common to see like a 9-yo helping around.
But I’m sure they are completely greedy and deserve to go out of business
- Lemmy, probably
In my area, while we have laundermats, it’s also very common for apartments to have coin-op laundry for tenants. With the absurd levels of rent they charge, those landlords are doing just fine without a bit of extra laundry revenue
I had free laundry for most of my freshman year of college. We had coin operated machines, and somebody quickly figured out that you can strip 2 wires and just touch them together, or touch a coin to both of them, and every time you did that the machine would think a coin had been inserted. Eventually the college caught on and one day I went down there and all the machines were taken apart with maintenance guys working on them, and after that there was a heavy duty housing for the coin acceptor with no exposed wires. It was nice while it lasted!
Is it USSA?
The west has fallen, millions must do laundry for free.
That company is really getting taken to the cleaners.
At least it’s free for them now!
This is the best summary I could come up with:
That’s because of a vulnerability that two University of California, Santa Cruz students found in internet-connected washing machines in commercial use in several countries, according to TechCrunch.
The two students, Alexander Sherbrooke and Iakov Taranenko, apparently exploited an API for the machines’ app to do things like remotely command them to work without payment and update a laundry account to show it had millions of dollars in it.
CSC never responded when Sherbrooke and Taranenko reported the vulnerability via emails and a phone call in January, TechCrunch writes.
That includes that the company has a published list of commands, which the two told TechCrunch enables connecting to all of CSC’s network-connected laundry machines.
CSC’s vulnerability is a good reminder that the security situation with the internet of things still isn’t sorted out.
For the exploit the students found, maybe CSC shoulders the risk, but in other cases, lax cybersecurity practices have made it possible for hackers or company contractors to view strangers’ security camera footage or gain access to smart plugs.
The original article contains 294 words, the summary contains 171 words. Saved 42%. I’m a bot and I’m open source!
Sherbrooke and Taranenko reported the vulnerability
Finks >:(
Forreal, I highly doubt CSC has a big bounty program so why did they even bother? Guaranteed they were the “Teacher you forgot our homework” kids
Honestly, in this case, the company in question are even bigger finks because they don’t actually care about fixing a vulnerability that could cost them money.
If that speaks to their security practices, well… Let’s just say I wouldn’t be surprised if customer data was all in an unsecured, unencrypted, plain-text Microsoft Word document.
Im very amused at it being in word rather than .xlsx or .txt, like them going out if their way to make it worse because word is all they know.
“But word is a text file.”
There used to be this music festival in my college town and they liked to charge absurd money for “tokens” to use at the vendors. I didn’t use all of them but I found they worked in the parking meters (I think they detected as slugs, because they immediately gave me an hour and flashed the meter) but nobody in the city bothered to ticket me for it. I dunno, I felt kinda bad but at the same time, I don’t like to parallel park.
For what its worth, I paid more for the tokens than I ever did parking.
I’ve never heard of CSC, only Coinamatic in every commercially run residential coin laundry I have seen (in Canada). They run on coins or chip cards.
I’m in the midwest and have used csc at every apartment I’ve lived at. Maybe it’s regional?
I see no problem here