Tools and technologies of daily use which can harm our health or even life is probably the most shocking scenario of IoT in the ongoing internet of things security discussion. Security researchers shown the risks of car wash systems if they are controlled by an attacker instead of the underlying control systems.
IoT Security Problems Case Study
Within the scope of the black hat 2017 security conference in Las Vegas the security researchers Billy Rios and Jonathan Butts have shown a possible attack on car wash system which are popular in USA. The researchers call this issue - the first physical attack on humans.
"We believe this to be the first exploit of a connected device that causes the device to physically attack someone," Billy Rios, the founder of Whitescope security
The researchers where able to control parts of the system like the doors or the mechanical dispense arms of the car wash system from PDQ LaserWash but also cause dangerous situation like trapping the user inside the car wash by closing both doors.
In the below youtube video a demo is shown where the door of the car wash is closed again and again despite the fact that a car is placed under the door and an additional system, a light barrier, is in place to exclude such behavior.
Personally I think this is a great example to create more awareness on the IoT Security problems. Often in a discussion with opponents who are against security measures for all IoT devices, one of the first question is often "What can be stolen from my system?". An unexperienced security engineer can reach a situation where the reasons again security measures seems to be stronger then pro security measures. I pretty sure that in such a case the situation can be the same. What do such a car wash station have?
- no personal data
- no real intellectual property
- no detection system for car number plates
... there is nothing, but still here, at least basic security feature are required.