Two university students, Alexander Sherbrooke and Iakov Taranenko, have uncovered a major security flaw in over a million internet-connected laundry machines operated by CSC ServiceWorks. The flaw allows anyone to remotely send commands to the machines, enabling them to start laundry cycles for free. Despite reporting the vulnerability earlier this year, CSC ServiceWorks has failed to address the issue, leaving the laundry machines vulnerable to exploitation.
Sherbrooke and Taranenko discovered the flaw while experimenting with their own laundry accounts, successfully initiating free laundry cycles and even adding millions of dollars to their accounts without any repercussions. The students attempted to alert CSC ServiceWorks to the issue through various channels but received no response.
The vulnerability lies in the API used by CSC’s mobile app, CSC Go, which allows users to interact with the laundry machines. By bypassing the app’s security checks, Sherbrooke and Taranenko were able to manipulate their account balances and control the machines remotely.
Despite CSC ServiceWorks wiping out the researchers’ inflated account balances, the security flaw remains unresolved, posing a potential threat to users of the laundry machines. The researchers expressed disappointment in CSC’s lack of acknowledgment and urged the company to take responsibility for the security of its systems.
Sherbrooke and Taranenko remain committed to exposing vulnerabilities in the interest of improving cybersecurity. They emphasized the importance of addressing such issues promptly to prevent potential misuse and financial losses. The students’ persistence in uncovering and reporting the flaw highlights the need for companies to prioritize cybersecurity measures to protect their customers and prevent unauthorized access to their systems.