Students Discover Major Flaw in CSC ServiceWorks Laundry Payment System
Students Alexander Sherbrooke and Iakov Taranenko from the University of California, Santa Cruz, discovered a critical vulnerability in the payment system of CSC ServiceWorks laundries, allowing anyone to use the machines for free. Despite the students’ repeated attempts to notify the company, the issue remains unresolved. TechCrunch reported on the situation after speaking with the students.
In January, Sherbrooke was sitting on the laundry room floor with his laptop when he realized the extent of the problem. He ran a script that commanded the machine to start washing, even though his account balance was $0. The machine immediately responded, emitting a loud signal and indicating it was ready to wash (all that was left was to press “START”). In another instance, the students added several million dollars to one of their accounts in the CSC Go mobile app.
CSC ServiceWorks operates over a million laundry machines in hotels, universities, and residential complexes worldwide. However, the company lacks a dedicated page for reporting vulnerabilities, and the students sent messages through the feedback form on the website. They also called the company, but all attempts to contact CSC were unsuccessful.
The students reported their findings to the CERT Coordination Center at Carnegie Mellon University, which helps researchers disclose vulnerabilities and suggest solutions. However, more than three months have passed, and the issue remains unresolved. Their research was presented at a university cybersecurity club meeting in early May.
It is also noted that the company has a published list of commands that allow connection to all networked CSC washing machines.
It is unclear who is responsible for cybersecurity at CSC, and company representatives did not respond to TechCrunch’s inquiries. The vulnerability is linked to the API of the CSC Go mobile app, which allows users to top up their accounts and start washing. The students discovered that CSC’s servers could be tricked by sending commands to alter the account balance because security checks are performed on the user’s device, not on the server.
By analyzing network traffic, the students bypassed the app’s security checks and sent commands directly to CSC’s servers, enabling them to start washing without adding real money to their account. Additionally, CSC’s servers do not verify whether a new account belongs to a real person, allowing the creation of fake accounts.
The researchers warn that such a vulnerability could have serious consequences, especially if malicious actors gain access to heavy equipment connected to the internet. Although starting a wash cycle requires physically pressing a button on the machine, the settings can be reset.
After reporting the vulnerability, the company invalidated the students’ account balances but did not address the core issue. Taranenko expressed frustration that the company ignored their warnings.
“I just don’t get how a company that large makes those types of mistakes, then has no way of contacting them. Worst-case scenario, people can easily load up their wallets and the company loses a ton of money. Why not spend a bare minimum of having a single monitored security email inbox for this type of situation?” Taranenko said.
The students stated that despite the lack of response from CSC, they remain enthusiastic and are willing to wait for support to address the issue.
