Students Find Bug That Made Laundry Free For Millions

Date: May 20, 2024

Two students from the University of California found a bug in the IoT-enabled laundry service that could give away millions of laundry for free.

How stringent is the security in the IoT industry that witnessed a sudden bloom, thanks to AI? Automation, remote accessibility, and the Internet of Things are the three recent innovations that have entered both personal and commercial spaces. However, the security layers in these technologies often lack safety fundamentals. Two students from the University of California have proved this point with a risk that could have cost a company millions of dollars.

According to the reports, Alexander Sherbrooke and Iakov Taranenko exploited the APIs of CSC Service Works’ laundry machines. The students used a loophole in the IOT-powered connectivity of the machines with the company’s software and remotely commanded it to do their laundry without making any payment. They also updated a laundry account to show that it had a million dollars in its wallet. 

The company that runs these machines has over a million laundry and vending machines serving in colleges, multi-housing communities, laundromats, and other public places in the USA, Canada, and Europe. The students who found out about the bug immediately reported it to the company with all the required details, which are attached to this email. After getting no response from the company, they even called it up to explain the drastic nature of the situation. The company, however, remained silent in their response.

When the students mentioned a bug that filled an account with millions of dollars in its wallet, the company simply removed the wallet money. It is unclear whether the company has corrected its security layers, but IoT devices usually have more than tolerable vulnerabilities. The company has a published list of commands that enable connection with all CSC network-connected laundry machines.

Hackers from around the world look for such vulnerabilities to earn quick and explosive income that usually bankrupts the company. CSC’s lack of response reflects its inadequate commitment to security or insufficient awareness of the direness of the situation. IoT devices have multiple vulnerabilities, as people who make them usually benefit from enabling maximum connectivity, which exposes them to potentially dangerous third-party APIs.

Often, security researchers find these loopholes and report them to the designated authorities to prevent fraudulent activities in exchange for a nominal fee or reward. Google is the mastermind that has built one of the strongest bug-testing independent networks of talented individuals like Alexander Sherbrooke and Iakov Taranenko. It not only responds promptly, but also gets into action swiftly, while rewarding the bug finders and fixers with hefty money.