PDQ Manufacturing, Inc. LaserWash / Digi, Ludlum, and Mirion

By Mark Perry on August 2, 2017

LaserWash Cartoon Illustration

PDQ Manufacturing, Inc. LaserWash, Laser Jet and ProTouch

“IoT” or “internet of things” does not just refer to your coffee maker or refrigerator than can post to Facebook or Twitter, but also refers to larger appliances like car washes you see at the gas station. This was the case when researchers Billy Rios and Jonathan Butts heard about a misconfigured LaserWash and a mechanical arm that reached out and doused an occupant with water. After looking more into this system, the researchers found that these LaserWash car wash systems were indeed internet facing and negligently contained default passwords or easily guessable passwords. After they breached the system, they were able to find areas that manipulated the mechanics of the entire LaserWash car wash, including things like bay doors, controlling infrared sensors, and direct control of the spray arms. This seemed harmless enough until these researchers showed a video of the bay doors crashing into a car windshield as it entered the carwash. This video was captured by the internal video system and could be posted instantly to a Facebook or Twitter feed automagically. The researchers previously reached out to PDQ Manufacturing to disclose their findings but did not get a response, and instead publicly disclosed this information at BlackHat 2017. This issue is so widespread, and because of the potential for human physical harm, ICS-CERT has issued an Advisory (ICSA-17-208-03) and has given this vulnerability a CVSS3 score of 9.4.

The following versions of LaserWash, Laser Jet, and ProTouch, in-bay automatic car wash systems are affected:

LaserWash G5 and G5 S Series all versions,

LaserWash M5, all versions,

LaserWash 360 and 360 Plus, all versions,

LaserWash AutoXpress and AutoExpress Plus, all versions,

LaserJet, all versions,

ProTouch Tandem, all versions,

ProTouch ICON, all versions, and

ProTouch AutoGloss, all versions.

PDQ Manufacturing spokesperson Todd Klitzke released the following statement:

“PDQ takes safety and security issues very seriously. We have contacted our customers and distributors to outline steps that should be taken to strengthen their security and significantly reduce the risk of an unlawful intrusion. As we have advised our customers, all systems-especially internet-connected ones-must be configured with security in mind, including by ensuring that the systems are behind a network firewall and all default passwords are changed. Our technical support team is also standing by to support our customers as needed. We are diligently working on a software update, and will collaborate with the Department of Homeland Security’s ICS-CERT on amending its advisory when that update is available.”

Digi, Ludlum, and Mirion

Continuing the theme of vulnerable IoT devices, researcher Ruben Santamarta uncovered vulnerabilities in radioactivity sensors made to detect and prevent radioactive contamination. The first sensor he looked at is a common model found in nuclear power plants; the next models are used at various check points. These sensors are commonly called “gate” monitoring systems and are found at vehicle inspection points including border crossing points. These sensors do not deal directly with radiation and are just sensors, so at first being vulnerable to manipulation doesn’t seem like that big of a deal. Let’s refer back to 3-mile Island where a faulty sensor caused a false read and ended in a nuclear melt-down in 1979. Ruben was sure that malicious leverage of this vulnerability could lead to something similar. The first model he researched was the Model 53 Gamma Personnel Portal from Ludlum. He found a default backdoor password. This vulnerability could allow an attacker to take control of the system and disable the device preventing any alarms from going off. The next model was another Ludlum monitor — in this case, the Model 4525. Ruben found these devices communicated in plain text using protocols such as Port 20034/UDP and Port 23/TCP and lacked any type of security measure, which could allow an attacker to gain enough information to change the devices’ network settings, and also gain the ability to send false information to the alarm system, effectively disabling it or triggering the alarm to induce an evacuation, buying time for other malicious attacks to take place. Digi models were susceptible to firmware reverse engineering, allowing hackers to modify the firmware for their own ends. Ruben reached out to the vendors to disclose his findings but did not get a response and publicly disclosed this information at BlackHat 2017. This issue is so widespread, and because of the potential for human harm ICS-CERT has issued an Advisory (ICSA-17- 208-02) and has given this vulnerability a CVSS3 score of 5.0.

(Update)
Digi- acknowledged the report, but will not fix the issues as they do not consider them security issues.
Ludlum – acknowledged the report, but refused to address the issues. According to them, these devices are located in secure facilities, which is enough to prevent exploitation.
Mirion – acknowledged the vulnerabilities, but will not patch them as it would break WRM2 interoperability. Mirion contacted their customers to warn of this situation. They will work in the future to add additional security measures.