Published Date: 2017-07-27
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident involving the internet-connected car washes happened in 2017 (July 2017) as per the articles [61303, 61334]. |
| System | 1. PDQ LaserWash automated car wash system running on Windows CE software [61303, 61334] |
| Responsible Organization | 1. Hackers [61303, 61334] |
| Impacted Organization | 1. Vehicles and passengers were impacted by the software failure incident as they could be trapped inside the car wash, hit by the doors, and sprayed with water [61303, 61334]. |
| Software Causes | 1. Software vulnerabilities in internet-connected car washes allowed hackers to manipulate the car wash system to physically attack vehicles and passengers by opening and closing doors, hitting vehicles with doors, and striking vehicles with the mechanical washing arm [61303, 61334]. 2. The software running on the car wash system, specifically Windows CE software with a built-in web server, was vulnerable to hacks that allowed hackers to bypass authentication processes and send commands to manipulate the car wash doors and mechanical arm [61303, 61334]. 3. The default password for accessing the car wash system was easily guessable, making it easier for hackers to exploit the software vulnerabilities [61303]. 4. The attack script written by the researchers bypassed safety mechanisms in the car wash software, such as infrared sensors, allowing the hackers to carry out the attacks successfully [61334]. |
| Non-software Causes | 1. Lack of proper authentication and password security measures in the car wash system [Article 61303, Article 61334] 2. Vulnerabilities in the automatic car wash systems, specifically in PDQ LaserWash units [Article 61303, Article 61334] 3. Misconfiguration of the car wash system by technicians [Article 61303] |
| Impacts | 1. The software failure incident allowed hackers to remotely control internet-connected car washes, enabling them to physically attack vehicles and passengers by trapping them inside, hitting them with doors, and spraying them with the mechanical washing arm [61303, 61334]. 2. The vulnerability in the car wash software could potentially harm innocent customers if exploited by malicious hackers [61334]. 3. The incident raised concerns about the security of internet-connected devices and highlighted the need for improved cybersecurity measures in such systems [61303, 61334]. 4. The discovery prompted the researchers to inform the Department of Homeland Security about the vulnerabilities found in the car wash software [61303, 61334]. 5. PDQ, the car wash company whose software was hacked, stated that they are working on investigating and fixing the security issues within their system following the incident [61303, 61334]. |
| Preventions | 1. Implementing strong authentication mechanisms: The software controlling the car wash system should have robust authentication processes in place to prevent unauthorized access [61303, 61334]. 2. Regular security audits and testing: Conducting regular security audits and testing of the software to identify and address vulnerabilities before they can be exploited by hackers [61303, 61334]. 3. Promptly fixing identified vulnerabilities: Once vulnerabilities are discovered, they should be promptly fixed to prevent potential attacks [61303, 61334]. 4. Enhancing physical safety measures: Implementing additional physical safety measures in the car wash system to prevent physical harm in case of a software failure [61303, 61334]. |
| Fixes | 1. Implement stronger authentication processes to prevent unauthorized access to the car wash software [61303, 61334]. 2. Enhance the security measures to prevent hackers from bypassing passwords and exploiting vulnerabilities in the authentication process [61303, 61334]. 3. Update the software to include safeguards that prevent unauthorized manipulation of the car wash doors and mechanical arm [61303, 61334]. 4. Conduct regular security audits and testing to identify and address potential vulnerabilities in the system [61303, 61334]. 5. Improve the monitoring and detection capabilities of the software to identify and prevent malicious activities in real-time [61303, 61334]. | References | 1. Security researchers (Billy Rios and Jonathan Butts) [Article 61303, Article 61334] 2. PDQ Vehicle Wash Systems [Article 61303, Article 61334] 3. Department of Homeland Security [Article 61303, Article 61334] 4. Vice Motherboard [Article 61303] 5. Whitescope security [Article 61303, Article 61334] 6. Black Hat security conference [Article 61303] 7. U.S. Department of Homeland Security [Article 61334] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident related to hacking internet-connected car washes has happened again at PDQ Vehicle Wash Systems. Security researchers discovered vulnerabilities in the PDQ LaserWash units, allowing hackers to remotely control the car wash system to trap vehicles, hit cars with the doors, and spray passengers with the mechanical washing arm [61303, 61334]. (b) The incident has also occurred at other organizations or with their products and services. Prior to focusing on car wash systems, one of the researchers, Billy Rios, had discovered security problems in other systems such as drug pumps for hospital patients, x-ray machines in airports, and buildings that control electric door locks, camera surveillance, lights, and elevators [61303]. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident in the articles can be attributed to the design phase. The vulnerabilities in the automatic car wash systems, specifically in PDQ LaserWash units, were identified by security researchers due to flaws in the software design and development. The system's software allowed hackers to bypass passwords, find vulnerabilities in the authentication process, and write attack scripts to manipulate the car wash doors and mechanical arm [61303, 61334]. (b) Additionally, the software failure incident can also be linked to the operation phase. The attack scripts developed by the researchers monitored the vehicle's actions within the car wash cycle and sent commands to the system to trap vehicles, strike cars with doors, and manipulate the mechanical arm. These actions were a result of exploiting vulnerabilities in the operational aspects of the system, such as controlling the car wash doors and mechanical arm through unauthorized commands [61303, 61334]. |
| Boundary (Internal/External) | within_system, outside_system | (a) within_system: The software failure incident involving the internet-connected car washes being hacked to attack vehicles and passengers was primarily due to vulnerabilities within the system itself. Security researchers discovered multiple vulnerabilities in the PDQ LaserWash units, which are popular because they operate via software and programs over a built-in web server. The vulnerabilities allowed hackers to bypass passwords, find authentication process vulnerabilities, and write attack scripts to manipulate the car wash system, including causing the exit door to hit vehicles and passengers, trapping vehicles inside, and controlling the mechanical arm to spray water on the vehicle [61303, 61334]. (b) outside_system: The software failure incident involving the car wash hack was also influenced by factors originating from outside the system. The hackers exploited the vulnerabilities in the internet-connected car wash systems, taking advantage of the fact that these systems were accessible over the internet. By using the Shodan search engine to find connected devices, the hackers were able to identify over 150 vulnerable car wash systems and launch attacks remotely. Additionally, the researchers informed the Department of Homeland Security and the vendor about their findings, indicating external involvement in addressing the security issues [61303]. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: The software failure incident in the articles was primarily due to vulnerabilities in the software of internet-connected car wash systems, specifically PDQ LaserWash units. Security researchers discovered multiple vulnerabilities in the automated car wash systems that allowed for non-human actions to occur, such as opening and closing doors, manipulating the mechanical washing arm, and causing physical harm to vehicles and passengers [61303, 61334]. (b) The software failure incident occurring due to human actions: The software failure incident also involved human actions as the security researchers actively conducted tests and wrote attack scripts to exploit the vulnerabilities in the car wash software. They bypassed passwords, found authentication process vulnerabilities, and wrote automated attack scripts to monitor and manipulate the car wash system, demonstrating how human actions can exploit software vulnerabilities [61303, 61334]. |
| Dimension (Hardware/Software) | hardware, software | (a) The software failure incident occurring due to hardware: - The vulnerability in the automatic car wash systems, specifically in PDQ LaserWash units, was exploited by security researchers. They were able to manipulate the mechanical arm to hit the car or spew water, making it hard for a passenger to escape. Although the car wash's software had systems in place to prevent such incidents, the attack script was able to disable these safety measures, indicating a hardware-related failure [61303]. - The researchers found vulnerabilities in the automatic car wash systems that allowed them to gain control of the mechanical arm that sprays wash chemicals and water on the vehicle. Despite safety guards in place, such as infrared sensors to avoid striking objects, the new code easily bypassed these hardware safeguards [61334]. (b) The software failure incident occurring due to software: - The software vulnerabilities in the car wash system allowed hackers to bypass the online authenticating process, monitor when a vehicle is ready to leave the car wash, and cause the exit door to hit the vehicle. This indicates a software-related failure in the system [61303]. - The security researchers were able to bypass passwords and find a vulnerability in the authentication process of the automatic car wash systems. They wrote a fully automated attack script that could strike the car with the exit door automatically, indicating a software-related failure in the system [61334]. |
| Objective (Malicious/Non-malicious) | malicious | (a) The objective of the software failure incident was malicious, as security researchers discovered vulnerabilities in internet-connected car wash systems that could be exploited by hackers to physically attack vehicles and passengers. The attack program written by the researchers bypassed the online authenticating process of the car wash software, allowing hackers to trap vehicles inside, hit cars with the doors, strike cars, and spray passengers with the mechanical washing arm [61303, 61334]. The incident involved exploiting the vulnerabilities in the system with the intent to harm the vehicles and passengers using the car wash. |
| Intent (Poor/Accidental Decisions) | poor_decisions | (a) poor_decisions: The software failure incident related to the internet-connected car washes being hacked to attack vehicles and passengers was a result of poor decisions. The vulnerabilities in the car wash software allowed hackers to open and close the outside doors of the car wash, hit vehicles with the doors, and even strike vehicles and spray passengers with the mechanical washing arm. The vulnerabilities stemmed from poor decisions in the design and implementation of the software, making the car wash system susceptible to attacks [61303, 61334]. (b) accidental_decisions: The software failure incident was not due to accidental decisions or unintended mistakes. Instead, it was a deliberate exploitation of vulnerabilities in the car wash software by security researchers to demonstrate the potential harm that could be caused by hacking into internet-connected car wash systems. The incident was a result of intentional actions taken to identify and exploit the weaknesses in the software, rather than accidental decisions or mistakes [61303, 61334]. |
| Capability (Incompetence/Accidental) | unknown | (a) The software failure incident occurring due to development incompetence: The software failure incident in the articles was not directly attributed to development incompetence. Instead, it was a result of security vulnerabilities in the software-controlled car wash systems that were exploited by security researchers [61303, 61334]. (b) The software failure incident occurring accidentally: The software failure incident in the articles was not accidental but rather a deliberate exploitation of vulnerabilities in the software-controlled car wash systems by security researchers to demonstrate the potential harm that could be caused [61303, 61334]. |
| Duration | permanent | (a) The software failure incident in the articles can be considered as permanent. The vulnerabilities in the automatic car wash systems, specifically in PDQ LaserWash units, allowed hackers to exploit the software to physically attack vehicles and passengers. The attack script written by the researchers could monitor when a vehicle was ready to leave the car wash and cause the exit door to hit the vehicle, manipulate the mechanical arm to hit the car or spew water, and even trap vehicles and occupants inside by closing both doors of the wash bay [61303, 61334]. These vulnerabilities were not due to specific circumstances but were inherent in the software system, making the failure permanent until security issues were addressed and fixed by the vendor. |
| Behaviour | value, other | (a) crash: The software failure incident in the articles does not involve a crash where the system loses state and does not perform any of its intended functions. The incident is more focused on intentional manipulation of the car wash system to cause physical harm rather than a system crash. [61303, 61334] (b) omission: The incident does not involve the system omitting to perform its intended functions at an instance(s). Instead, the vulnerability in the car wash software was exploited to manipulate the system to perform harmful actions such as hitting vehicles and passengers. [61303, 61334] (c) timing: The software failure incident is not related to the system performing its intended functions too late or too early. The focus of the incident is on the intentional manipulation of the car wash system's operations rather than timing issues. [61303, 61334] (d) value: The incident does involve the system performing its intended functions incorrectly. The vulnerability in the car wash software was exploited to cause the system to behave in a way that was not intended, such as hitting vehicles and passengers with the mechanical arm and doors. [61303, 61334] (e) byzantine: The software failure incident does not involve the system behaving erroneously with inconsistent responses and interactions. The incident is more about exploiting vulnerabilities in the software to control the physical actions of the car wash system. [61303, 61334] (f) other: The behavior of the software failure incident can be categorized as intentional manipulation or exploitation of the software vulnerabilities to cause physical harm to vehicles and passengers using the car wash system. The incident highlights the potential dangers of connected devices being hacked to physically attack individuals. [61303, 61334] |
| Layer | Option | Rationale |
|---|---|---|
| Perception | sensor, actuator, processing_unit, network_communication, embedded_software | (a) sensor: The software failure incident related to the perception layer of the cyber physical system that failed involved sensors. The vulnerability in the car wash software allowed hackers to manipulate the mechanical arm to hit the car or spew water, making it hard for a passenger to escape. Although the car wash's software had systems in place to sense where the car was and prevent such things from happening, the attack script was able to disable these sensors [61303]. (b) actuator: The incident also involved the actuator component of the cyber physical system. The attack script written by the researchers monitored when a vehicle was ready to leave the car wash and caused the exit door to hit the vehicle automatically. Additionally, hackers could send commands to close both doors to the wash bay at once, trapping the vehicle and occupants inside, or open and close the doors on a vehicle multiple times [61303, 61334]. (c) processing_unit: The processing unit of the cyber physical system was also implicated in the software failure incident. The vulnerability in the car wash software allowed hackers to bypass the online authenticating process, monitor the car's wash cycle, and send commands to manipulate the doors and the mechanical arm. This indicates a failure in the processing unit's ability to authenticate and control the car wash system securely [61303, 61334]. (d) network_communication: The failure was related to network communication as well. The car wash software ran on Windows CE and had a built-in web server to allow technicians to monitor the system over the internet. The vulnerability in the network communication aspect of the software made it susceptible to hacks, enabling attackers to remotely send commands to control the car wash doors and mechanical arm [61303, 61334]. (e) embedded_software: The incident also highlighted a failure in the embedded software of the car wash system. The software vulnerabilities allowed hackers to exploit the system's embedded software to manipulate the doors and the mechanical arm, causing physical harm to vehicles and passengers. The embedded software's lack of robust security measures contributed to the successful attack on the car wash system [61303, 61334]. |
| Communication | connectivity_level | The software failure incident reported in the news articles was related to the connectivity level of the cyber physical system that failed. The vulnerability and exploit discovered by the security researchers in the automatic car wash systems, specifically in PDQ LaserWash units, were related to the software vulnerabilities that allowed hackers to remotely manipulate the system over the internet. The researchers were able to bypass passwords, find vulnerabilities in the authentication process, and write automated attack scripts to control various functions of the car wash system, such as opening and closing doors, manipulating the mechanical arm, and causing physical harm to vehicles and passengers [61303, 61334]. These actions were facilitated by exploiting weaknesses in the network or transport layer of the system, rather than issues at the physical layer. |
| Application | TRUE | The software failure incident related to the application layer of the cyber physical system in the reported articles is as follows: The failure in the automatic car wash systems, specifically in PDQ LaserWash units, was due to vulnerabilities in the software that allowed hackers to manipulate the system to physically attack vehicles and passengers. Security researchers discovered multiple vulnerabilities in the software of the car wash systems, allowing them to bypass passwords, find authentication process vulnerabilities, and write automated attack scripts to control the doors, mechanical arm, and other functions of the car wash [Article 61303, Article 61334]. This failure falls under the definition of an application layer failure as it was caused by bugs, operating system errors, and incorrect usage of the software. |
| Category | Option | Rationale |
|---|---|---|
| Consequence | harm, property, non-human, theoretical_consequence | (a) death: People lost their lives due to the software failure - There is no mention of any individuals losing their lives due to the software failure incident reported in the articles [61303, 61334]. (b) harm: People were physically harmed due to the software failure - The software failure incident resulted in the potential for physical harm to individuals as hackers could manipulate the car wash system to hit vehicles and spray passengers with the mechanical washing arm, making it hard for a passenger to escape [61303, 61334]. (c) basic: People's access to food or shelter was impacted because of the software failure - There is no mention of people's access to food or shelter being impacted due to the software failure incident reported in the articles [61303, 61334]. (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incident could potentially impact people's property as hackers could manipulate the car wash system to hit vehicles and cause damage [61303, 61334]. (e) delay: People had to postpone an activity due to the software failure - There is no mention of people having to postpone an activity due to the software failure incident reported in the articles [61303, 61334]. (f) non-human: Non-human entities were impacted due to the software failure - The software failure incident impacted non-human entities, specifically vehicles being trapped inside the car wash and potentially damaged by the manipulation of the car wash system [61303, 61334]. (g) no_consequence: There were no real observed consequences of the software failure - The software failure incident resulted in real observed consequences, such as the potential for physical harm to individuals and property damage [61303, 61334]. (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The articles discuss potential consequences of the software failure, such as the ability for hackers to physically harm individuals by manipulating the car wash system, but there is no mention of these consequences actually occurring [61303, 61334]. (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - There are no other consequences of the software failure mentioned in the articles [61303, 61334]. |
| Domain | transportation, utilities | (a) The failed system was intended to support the transportation industry, specifically the automated car wash systems used in car wash facilities. The vulnerabilities in the software of these car wash systems allowed for potential physical harm to vehicles and passengers by manipulating the doors and mechanical washing arm [61303, 61334]. (g) The software failure incident was related to the utilities industry, as it involved the automated car wash systems that provide car washing services powered by software vulnerabilities. These vulnerabilities allowed hackers to manipulate the car wash doors and mechanical washing arm, potentially causing harm to vehicles and passengers [61303, 61334]. (m) The software failure incident was not related to any other industry outside of the transportation and utilities sectors, as it specifically focused on the vulnerabilities in the software of automated car wash systems [61303, 61334]. |
Article ID: 61303
Article ID: 61334