Killer Car Wash: Hackers Can Trap and Attack Vehicles
In the cheesy 1980s film Maximum Overdrive, a passing comet causes machines to rise up and attack the humans who once controlled them. Well, don’t look now but something like that came to pass in a car wash in Washington state.
At the car wash, hackers hijacked the Internet-enabled PDQ LaserWash system in order to slam shut the outside doors, and trap a pick-up inside. The attackers also proved they were able to take over the mechanical arms inside the car wash and direct a powerful stream of water at the vehicle’s door to prevent the occupant from exiting.
In a variation of the attack, the hackers showed they could use their control over the outside car wash doors to keep the driver inside:
“An attacker can send an instantaneous command to close one or both doors to trap the vehicle inside, or open and close one door repeatedly to strike the vehicle a number of times as a driver tries to flee,” described Motherboard, which reported on the killer car wash.
Get Data Sheet, Fortune’s technology newsletter.
Fortunately for the pick-up driver (and humanity), the hackers in question were researchers who persuaded the owner of the car wash to let them hijack the PDQ LaserWash and attack the truck. The researchers, who will present their findings at the Black Hat security conference this week, say they’ve shared their findings with the Department of Homeland Security.
They also informed the car wash vendor about the software vulnerability that allowed them to take over the PDQ LaserWash’s controls.
The vulnerability in question relates to default password settings over the Internet controls that, when left unchanged, can let hackers gain control. This security defect is the same one that afflicts many Internet-enabled consumer products, especially security cameras and printers, and let hackers take control of millions of unsecured devices.
More broadly, the car wash hack shows the danger of the so-called Internet of things, which has allowed hackers to expand their mischief far beyond computers and target everything from light bulbs to cars.
In the case of the car wash, the hackers were benign. But it still feels like it won’t be long before we start seeing scenes like this one—from Maximum Overdrive—in real life:
All of this too is a reminder for everyone—from consumers to car wash owners—to practice good cyber hygiene and change those default passwords.