PDQ’s Smart Car Wash Vulnerabilities Can Injure Humans and Cars Alike

Making electronics “smarter” does not necessarily mean they are protected from external threats. In fact, smart devices are often even more prone to cyber attacks due to their constant connection to the Internet. A recent experiment involving smart car wash equipment revealed how several key flaws could be used to cause physical injuries to both cars and people. It appears the smart car wash solutions from U.S.-based PDQ are the main culprit.

Smart Car Wash Security Flaws are Problematic

Most people look at the car wash in the same way they have done for decades now. The entire process has been automated for quite some time, though there may now be software powering the entire experience. PDQ, a well-known U.S.-based vendor of Internet-connected car wash equipment, has been making some bad headlines of late.

Two security researchers have uncovered how car wash equipment contains multiple vulnerabilities. If these loopholes were to be exploited by people with malicious intents, they could cause damage to cars or physical harm to passengers and employees. That is not something a smart car wash vendor wants to be associated with. Even though these flaws have existed since January 2015, PDQ has not taken the necessary steps to patch the weaknesses. That is absolutely unacceptable.

Making matters worse is that the affected PDQ products are not just sold in the U.S., but rather on a global scale. Their LaserWash, LaserJet, and ProTouch equipment all contain these same vulnerabilities, which can have disastrous effects. The complex multi-component devices have built-in web servers which allow employees and car wash operators to manage them remotely. In this day and age, that makes a lot of sense. However, manufacturers also must take the necessary steps to protect these servers from nefarious activity, which does not appear to be the case with PDQ.

According to the researchers who disclosed these vulnerabilities back in 2015, the equipment’s login procedure has an authentication method which can be bypassed with ease. Once this occurred, they were given full access to the hardware’s control panel. This panel gives users full access to diagnostics, the setup of individual parts, and also the ability to cause damage to both cars and humans alike. PDQ decided to ignore this research for more than two years.

The researchers continued experimenting with the flaw they discovered in order to see what kind of damage could be done. They have since developed a few exploits which could have grave consequences, including the option to disable security sensors and alter hardware behavior. For example, it is possible to close the car wash’s doors when a car or person comes through. Additionally, the washing arms can be modified to hit cars and trap people in their cars for extended periods of time. All it would take is an automated script to put the well-being of one’s vehicle or oneself in danger.

Thankfully, PDQ has finally acknowledged these problems and promised they will fix the issues. This only occurred after the Industrial Control Systems Cyber Emergency Response Team issued a nationwide alert about this vendor’s equipment. Flaws like these should never be allowed to remain active for as long as they were in this case, especially after receiving proper documentation from researchers on the potential outcomes. PDQ certainly dropped the ball here.