Jailbroken coin-operated washing machines unlock unlimited free cycles and millions in funds — unpatched security vulnerability could also pose a fire hazard

News
By
published

It can also be exploited to turn washing machines into a fire hazard as it bypasses safety restrictions.

CSC ServiceWorks App and Internet-connected washing machine services
(Image credit: CSC ServiceWorks)

In January, two students from UC Santa Cruz discovered a way to make internet-connected washing machines, owned and operated by CSC ServiceWorks, give practically unlimited washing cycles for free. Alexander Sherbrooke and Iakov Taranenko ran a custom script through CSC's mobile app and bypassed the security checks on its servers.

Nowadays, everything connects to the Internet. Not so long ago, one user discovered that his LG washing machine was reportedly sending gigabytes of data daily. The CSC internet-connected washing machines require users to download the app, create an account, and add funds to enable laundry cycles for those users. The students discovered the security flaw in the app that would make the servers allow laundry cycles for the connected accounts, even if these accounts had no funds. The students could also add credits worth several million dollars into one of their accounts, which is reflected in their CSC Go mobile app.

CSC ServiceWorks is a large company that operates in the United States, Canada, and Europe. It caters to multiple multi-housing communities, gas stations, convenience stores, residents, hotels, resorts, laundromats, colleges, and universities. Despite having such an extensive network, CSC ServiceWorks did not have a page for reporting security flaws. Sherbrooke and Taranenko contacted the company via its online contact form in January and spoke to its customer service, but they did not receive any response.

The students eventually submitted their findings to the CERT Coordination Center at Carnegie Mellon University. After waiting over three months, the pair published their report to their cybersecurity club in May. According to the students, CSC eventually wiped out the credits in their accounts but has not patched this vulnerability.

While one may think the downside is free laundry cycles, which would contribute to millions in losses to the company, those with nefarious intents to bypass them can always find ways to do much worse. The students said the flawed API could bypass the safety restrictions, potentially creating a fire hazard. If left unpatched, it's just a matter of time before malicious actors decipher Sherbrooke and Taranenko's script to exploit the vulnerability.

Roshan Ashraf Shaikh
Roshan Ashraf Shaikh
Contributing Writer

Roshan Ashraf Shaikh has been in the Indian PC hardware community since the early 2000s and has been building PCs, contributing to many Indian tech forums, & blogs. He operated Hardware BBQ for 11 years and wrote news for eTeknix & TweakTown before joining Tom's Hardware team. Besides tech, he is interested in fighting games, movies, anime, and mechanical watches.

9 Comments Comment from the forums
  • hotaru251
    and yet another reason some stuff does not be internetified...

    there is no reason to have a fridge, washing machine, etc on a network.
    Reply
  • Joseph_138
    And now they're probably trying to figure out a way to cash in on the millions of dollars in free credits that they gave themselves.
    Reply
  • slightnitpick
    hotaru251 said:
    and yet another reason some stuff does not be internetified...

    there is no reason to have a fridge, washing machine, etc on a network.
    It's ridiculous.

    Some day people will be upgrading phones because their new washing machine doesn't work without iOS 33.1 or Android 29.
    Reply
  • USAFRet
    slightnitpick said:
    Some day people will be upgrading phones because their new washing machine doesn't work without iOS 33.1 or Android 29.
    That is likely already happening.
    Reply
  • NightForce
    This outfit provides the coin-op laundry for my building. Unresponsive is entirely normal for them, in my experience. We're supposed to have washers and dryers on this app. Since day 1, the dryers have never been visible on the app. This means reverting to quarters to do laundry -whoops the coin box is full or just eats coins. When we try to tell them to come service their equipment, nobody shows up for weeks. And they don't fix it. They don't care if the machines make money or not.

    Now, none of the washers appear in the app, alongside the invisible dryers.

    What good are laundry machines nobody can actually use? Very good: they pushed me to try the far better laundry down the road. It costs a little more but it actually works, unlike CSC.
    Reply
  • DougMcC
    hotaru251 said:
    and yet another reason some stuff does not be internetified...

    there is no reason to have a fridge, washing machine, etc on a network.
    My fridge is internet connected. It notifies me when my intellectually disabled kid leaves the door open. I use that feature about once a week.
    My washer/dryer are internet connected, they notify me when laundry is done. Cycle length is unpredictable because it depends on the weight / what is being washed/dryed. I have a lot of laundry to do (about 3.5 loads per day on average), and this spares me constantly checking on it to make sure I can keep the loads going since each one is a couple of hours, it can be hard to squeeze it all in without that feature.
    Reply
  • slightnitpick
    DougMcC said:
    My fridge is internet connected. It notifies me when my intellectually disabled kid leaves the door open. I use that feature about once a week.
    My washer/dryer are internet connected, they notify me when laundry is done. Cycle length is unpredictable because it depends on the weight / what is being washed/dryed. I have a lot of laundry to do (about 3.5 loads per day on average), and this spares me constantly checking on it to make sure I can keep the loads going since each one is a couple of hours, it can be hard to squeeze it all in without that feature.
    Useful for deaf people. Our refrigerator will beep when it's open too long. The washer has an optional beep when it's done. And the dryer stops spinning when it's done (noticeable absence of noise), and I think also has an optional beep. Just listening is enough to hear all of this for us.
    Reply
  • Daniel15
    DougMcC said:
    My washer/dryer are internet connected, they notify me when laundry is done
    This shouldn't need internet connectivity, though. You're almost always going to be home when the laundry load is running, so it should just use your wifi.

    I use Home Assistant for a lot of smart home stuff, and none of it goes over the internet. I access Home Assistant via a VPN when I'm away from home, but none of the devices themselves are directly connected to the internet.

    The manufacturers don't like local control because they can't really monetize it later. If it goes through the internet, they can more easily stick a paywall on it in the future.
    Reply
  • DougMcC
    slightnitpick said:
    Useful for deaf people. Our refrigerator will beep when it's open too long. The washer has an optional beep when it's done. And the dryer stops spinning when it's done (noticeable absence of noise), and I think also has an optional beep. Just listening is enough to hear all of this for us.
    Yep. I'm hard of hearing, resulting from incessant screaming of the disabled kid. Those audio clues aren't even close to loud enough to get my attention.
    Reply