Students at the University of California at Santa Cruz, Alexander Sherbruk and Yakov Taranenko, have discovered a significant vulnerability in the payment system used by laundry companies CSC ServiceWorks. This vulnerability allows individuals to use laundry machines for free. Despite multiple attempts by the students to notify the company of the issue, it has not been addressed yet. Techcrunch reports on this situation, as shared by the students.
In January, Sherbruk was in a laundry area with his laptop when he uncovered the scope of the problem. He ran a script that initiated a washing cycle without having any funds in his account. The machine responded immediately with a signal and readiness to start the cycle. In another instance, students were able to add millions of dollars to an account in the CSC Go mobile app.
CSC ServiceWorks operates over a million laundry facilities in hotels, universities, and residential complexes globally. Despite the students’ attempts to communicate the vulnerability through the company’s feedback form and phone calls, no response was received. The students then shared their findings with the Cert Coordination Center at Carnegie Mellon University, a platform for reporting vulnerabilities, yet the issue remains unresolved after more than three months. Their research was presented at a May meeting of the University Club in Cybersecurity.
The company has published a list of commands that can be used to access all CSC washing machines connected to the network.
The vulnerability is linked to the API of the CSC GO mobile app, which enables users to add funds to their accounts and initiate washing cycles. The students discovered that the CSC servers can be tricked by sending commands that alter the balance without proper security checks. These security checks are done on the user’s device instead of the server.
By analyzing the network traffic, the students bypassed the safety protocols of the app and delivered commands directly to the CSC servers, allowing them to start washing cycles without actually funding their accounts. Additionally, CSC servers do not verify if new accounts are genuine, making it possible to create fake accounts.
The researchers caution that such a vulnerability could have severe repercussions, especially if malicious actors gain access to critical equipment connected to the internet. While physically pressing the button on the machine is necessary to start the wash cycle, the settings can still