Car washes can be hacked to hit vehicles and threaten passengers

Updated: 

Security researchers have discovered that machine car washes, connected to the internet, may be able to get hacked and subsequently attack vehicles and passengers.

Vulnerabilities in software may allow hackers to open and close the outside doors of a vehicle and trap occupants, hit the car, and even spray passengers with the system's mechanical washing arm. The researchers have been prompted to inform the U.S Department of Homeland Security of their findings.


According to a report by technology website Vice Motherboard, Billy Rios, the founder of security research firm Whitescope, conducted the investigation with Jonathan Butts of QED Secure Solutions. They discussed their findings at the Black Hat security conference which happened in Las Vegas this week.

The research was focused on the PDQ LaserWash, a fully autonomous touchless car wash system. They are particularly popular in the US because they don't require attendants. Despite this, not all PDQ car washes are online, and are therefore not affected by the possible hack.

Rios is said to have become interested in car washes after hearing from a friend about a misconfigured one, which caused a family to be doused by water and have their car damaged.

The researchers were able to bypass the process of authentication. Sensors which are meant to prevent damage were altered, with the mechanical arm of the car wash manipulated to hit a vehicle.

Billy Rios told Motherboard: "We believe this to be the first exploit of a connected device that causes the device to physically attack someone."

By Ted Welford