Jailbroken coin-operated washing machines unlock unlimited free cycles and millions in funds — unpatched security vulnerability could also pose a fire hazard

In January, two students from UC Santa Cruz discovered a way to make internet-connected washing machines, owned and operated by CSC ServiceWorks, give practically unlimited washing cycles for free. Alexander Sherbrooke and Iakov Taranenko ran a custom script through CSC's mobile app and bypassed the security checks on its servers.

Nowadays, everything connects to the Internet. Not so long ago, one user discovered that his LG washing machine was reportedly sending gigabytes of data daily. The CSC internet-connected washing machines require users to download the app, create an account, and add funds to enable laundry cycles for those users. The students discovered the security flaw in the app that would make the servers allow laundry cycles for the connected accounts, even if these accounts had no funds. The students could also add credits worth several million dollars into one of their accounts, which is reflected in their CSC Go mobile app.

CSC ServiceWorks is a large company that operates in the United States, Canada, and Europe. It caters to multiple multi-housing communities, gas stations, convenience stores, residents, hotels, resorts, laundromats, colleges, and universities. Despite having such an extensive network, CSC ServiceWorks did not have a page for reporting security flaws. Sherbrooke and Taranenko contacted the company via its online contact form in January and spoke to its customer service, but they did not receive any response.

The students eventually submitted their findings to the CERT Coordination Center at Carnegie Mellon University. After waiting over three months, the pair published their report to their cybersecurity club in May. According to the students, CSC eventually wiped out the credits in their accounts but has not patched this vulnerability.

While one may think the downside is free laundry cycles, which would contribute to millions in losses to the company, those with nefarious intents to bypass them can always find ways to do much worse. The students said the flawed API could bypass the safety restrictions, potentially creating a fire hazard. If left unpatched, it's just a matter of time before malicious actors decipher Sherbrooke and Taranenko's script to exploit the vulnerability.