I’ve dug around on the biggest IoT search engine Shodan.io for a while now, and the remarkable amount of people who own PDQ Tandems and PDQ Laserwash systems is incredible. Most of the listings are garbled text with the words ‘PDQ’ in them, but before you get to the bottom of the page, you see it, the one, the only PDQ spree you can find. Washes from over the world, including here in Australia.
Unfortunately, when accessing these IP addresses (yes, they’re publicly available) takes you to the car wash dashboard after asking you for the username and passwords… which people haven’t changed.
Yep, that’s right, people haven’t changed their default username and password for their almost $5,000 investment. And it’s live on the internet for everyone to see.
The car washes use the Windows CE (Crap Edition) platform designed for embedded processors (such as ARM or RISC), and they do very well at it. However, with this huge issue with a load of devices now being online 24/7, your $5,000 investment can now be remotely controlled from attackers half way across the world.
- Issue wash packages (during a cycle, or after a cycle, wasting your time and resources)
- Create new wash packages (and make them free wash packages)
- Obtain sales data in TXT format (This includes any bank data, such as BSB and account numbers)
- Put the wash in maintenance mode while a wash is in progress (which closes both entrance and exit doors by default)
- Lock the entrance and exit doors while people are in the wash bay and stop the wash cycle. (therefore preventing entrance and exit)
- Stop a wash mid-cycle. (leaving soap all over the customers car)
- Change the default password for the owner account. (so only the attacker has access)
- Perform updates to the system (e.g. To put the system out-of-order and drive away customers)
- Connect via FTP and Telnet (FTP for file sharing and Telnet for remote command line)
- Install remote software packages via Telnet (e.g. VNC Remote Software, key logger software)
- Obtain Email address passwords and usernames.
This is why people should take better care in their investments that connect to the internet. I know the PDQ company did not state this in their Users Manual or Operation Guide, but they must state it. Change your default passwords and usernames to ones that are more secure!
Thanks for reading.