News is breaking that two students uncovered an exploitable security bug within CSC ServiceWorks’ systems that could let millions do their laundry for free. In cybersecurity, ignoring warnings is like throwing a red sock in with your whites – you’re just asking for trouble.
Katie Paxton-Fear, API Security Researcher, Traceable AI
“IoT security vulnerabilities via APIs are very common, when you connect an IoT device like a lightbulb, camera or in this case laundry machine, in order to let you turn your lights off when the sunsets or check your security cameras when you’re not at home you need some way of talking to your device via the internet. APIs are a crucial piece of technology giving you control over your smart devices by exposing some of their functionality to the internet, in theory, these APIs should have proper login and authentication mechanisms, but manufacturers are still behind. Regulators have started to notice as new laws in countries like the UK specifically (Product Security and Telecommunications Infrastructure Act or PSTI Act) require smart devices to have authentication mechanisms and a way of reporting security issues. Without a response and no idea if the organization had received its report, the students were left to publish it publicly so customers of CSC could take action. While regulation catches up in other countries it’s important that every organization has a way to report security flaws and a process of resolving and communicating with the finder so they know it’s being fixed.”
