May 20, 2024 at 03:32PM
UCSC students Alexander Sherbrooke and Iakov Taranenko discovered a security flaw in CSC ServiceWorks washing machines, allowing for free unlimited laundry cycles. Despite reporting the bug to the company and posting about it on Slug Security, CSC has not responded or fixed the vulnerability. Taranenko highlighted the potential financial impact and emphasized the need for better security measures.
Based on the meeting notes, the key takeaways are:
– Two students from the University of California at Santa Cruz discovered a security flaw in CSC ServiceWorks washing machines that allows for unlimited free laundry cycles.
– Alexander Sherbrooke and Iakov Taranenko found a vulnerability in the API used by the CSC Go mobile app, which can be exploited to send remote commands to the laundry machines.
– The students were able to run a script of code with instructions for the machine to run a cycle even with $0 balance in their accounts. They also added a multimillion-dollar balance to their accounts using the mobile app.
– Despite reporting the bug to CSC ServiceWorks, the company has not responded, and the vulnerabilities remain unfixed.
– The students waited to report the bug properly, seeking assistance from external sources such as Carnegie Mellon University’s CERT Coordination Center but received no response from the vendor.
– Even though CSC wiped their multimillion-dollar account balance, the underlying vulnerabilities persist.
These clear takeaways summarize the main points from the meeting notes for easy understanding and reference.