Automatic Car Washes Can Be Hacked to Trap, Attack Drivers Inside, Researchers Say

A scary possibility in a connected future.

There’s a lot of concern these days about the possibility of someone hacking your Internet-connected car, but somewhat less attention paid to the idea of hackers targeting the ancillary systems drivers rely on. Gas pumps. Traffic lights. And now, the humble automated car wash.

Motherboard reports that a group of security researchers have discovered a way to hack a brushless, laser-guided system known as the PDQ LaserWash found at automatic car washes around the country. In a real-world test earlier this year, the group was able to remotely close the bay doors, trap a vehicle inside, and manipulate a robotic arm to continuously strike and spray the car with high-pressure water.

The exploit was actually uncovered a couple of years ago, but it remains a theoretical possibility as they never had a chance to test it out. But a facility in Washington State finally agreed, and though they wouldn’t allow the test to be filmed, it was successful (and scary) enough that they presented their findings at the annual Black Hat hacking conference in Las Vegas this week.

According to Motherboard, the PDQ systems are all running on Windows CE and are connected to the Internet so remote technicians can monitor their status and send out updates. The researchers were easily able to guess the master default password, which hadn’t been changed in many locations, and from there they found a security exploit that allowed them to write an “attack script.”

Thankfully, these were friendly hackers, because this is scary stuff—if it were a malicious actor behind the intrusion, all they would reportedly have to do is select the IP address of the car wash they wanted to control and press go. The script automatically activates at the end of the wash, shutting the doors as the driver tries to exit and forcing the robotic system to ignore its safety sensors and warnings. Without an attendant on duty, there’s little a hapless driver could do to stop it.

Although they didn’t actually hit the truck during the test to avoid damaging it or the robotic arm, the ability was there. Before their presentation this week, they also notified the company and the Department of Homeland Security. A PDQ spokesman told Motherboard that it’s currently investigating the vulnerability and working on a fix.

Here’s a video of car going through the same PDQ LaserWash system, sans homicidal robots: