
Car Wash Hack Can Strike Vehicle, Trap Passengers, Douse Them with Water - Tchang7
https://motherboard.vice.com/en_us/article/bjxe33/car-wash-hack-can-smash-vehicle-trap-passengers-douse-them-with-water
======
binarytransform
This constant barrage of FUD from the cybersecurity community is exhausting.
The real story here is that a combination of misconfigurations resulted in a
system being exposed to remote exploitation. Until we in security move away
from producing this noise about the latest clickbaity hack and start
professionally addressing underlying hygiene, root causes, and config laziness
at scale, we will never drive the conversation forward. But that doesn't get
your talk accepted at Black Hat.

~~~
FooHentai
Same issues as those faced in the field of scientific research, really.
Pressure to put out something flashy coupled with sensational journalism
adding even more fantastical hype over the top.

Question is, what did we used to have that drove research efforts in the more
beneficial ways we used to see?

~~~
na85
Xerox PARC and Bell Labs?

~~~
FooHentai
Sure but I mean - What was the secret sauce that drove us to have PARC and
Bell? What motivations were there then that have gone away now? Can we get
them back?

------
jacquesm
This is an excellent illustration of how software failsafes are unacceptable
in internet connected pieces of hardware interacting with human beings. At a
minimum you want all your interlocks to connect to a logic board with an FPGA
that can not be upgraded remotely (to avoid someone overriding the FPGA
programming using an updated bitstream).

~~~
ingenieroariel
What does interlock mean in this context?

~~~
Drdrdrq
See linked Wikipedia article for explanation.

~~~
nilved
Normally a post like that is accompanied​ by a link to a Wikipedia article.

~~~
jacquesm
[https://en.wikipedia.org/wiki/Interlock_(engineering)](https://en.wikipedia.org/wiki/Interlock_\(engineering\))

------
eridius
> _We believe this to be the first exploit of a connected device that causes
> the device to physically attack someone_

Is this really the first time anyone has found an exploit that lets them
control a motorized door? Because that seems kind of surprising.

~~~
deathanatos
Perhaps one that controls a motorized door, but this is not the first
vulnerability with the capacity to cause actual physical harm to a human, no.
For example: [https://www.wired.com/2015/07/hackers-remotely-kill-jeep-
hig...](https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/)

------
hedora
I don't understand how the arm sprays water on passengers while they are
inside the car. I can imagine this working if you knew where the cabin air
intake is, but the article is very vague on this point (which is the only
claim that is remotely surprising to me...)

~~~
cconcepts
>> They could also manipulate the mechanical arm to hit the vehicle or spew
water continuously, making it difficult for a trapped occupant to exit the car

They've simply extrapolated on this capability to make the headline more
clickable

~~~
ocdtrekkie
When someone lends you their robotic car wash for you to test a theory,
generally you don't want to wreck their robotic car wash.

------
matt_morgan
"All systems—especially internet-connected ones—must be configured with
security in mind," Gerald Hanrahan of PDQ wrote. "This includes ensuring that
the systems are behind a network firewall, and ensuring that all default
passwords have been changed. Our technical support team is standing ready to
discuss these issues with any of our customers."

Kind of customer-blaming. Maybe it's true that the hacks were done on poorly-
protected systems but apart from having better security, it seems like all
these companies need better communications, too.

------
exikyut
> "We believe this to be the first exploit of a connected device that causes
> the device to physically attack someone," Billy Rios, the founder of
> Whitescope security, told Motherboard.

I won't argue that, but at the same time I was very reminded of this:

[https://www.reddit.com/r/talesfromtechsupport/comments/5pazb...](https://www.reddit.com/r/talesfromtechsupport/comments/5pazbo/im_pretty_sure_i_knocked_a_user_out_from_nearly/)

