Was Your Wash Hacked?

[rph9168]

Found this article and wondered if anyone had experienced a problem from hacking.

http://www.darkreading.com/vulnerab...at-the-car-wash-yeah/d/d-id/1319156?_mc=sm_dr

 

[soapy]

i do not have any of mine hooked up to the internet so I am not worried about this. I do know of one large chain that offered the monthly unlimited wash program where they bill customers credit cards at the beginning of every month that got hacked. All the credit cards where kept in a file for the monthly billing and this data based was hacked leading to a bunch of stolen information. I wondered how these washes remain PCI compliant when you are not supposed to retain CC information like this. If it proves they are not PCI compliant it could lead to a pretty hefty bill since they would be liable for the bogus charges on the cards.

 

[BBE]

Yes, I had a DDOS attack on port 80 of my tandem. If port 80 which is the standard HTTP port, was left forwarded to the tandems IP address it would flood the machine with remote control commands such as bridge forward, brdige backward, etc..

 

[slash007]

I had trouble accessing my server and finally figured out that my dns servers had be re-routed to somewhere in China! Got it fixed, but definitely kept me on guard for the future.

 

[koliver]

A couple notes on this as it mentions PDQ specifically:

1) If you have a gateway from PDQ, it has the built in security of a firewall and a password protected VPN configuration. The default password on the VPN connection should be changed.

2) The default logins for the car wash that are printed in our manuals should be changed at your sites. There is a login for an owner and a tech. Both should be changed.

3) There is a remote control password that can be enabled on the owner information screen on most of our equipment. This would prevent the issuing of remote control commands without the use of this 4-digit pin.

 

[BBE]

A couple notes on this as it mentions PDQ specifically:

1) If you have a gateway from PDQ, it has the built in security of a firewall and a password protected VPN configuration. The default password on the VPN connection should be changed.

2) The default logins for the car wash that are printed in our manuals should be changed at your sites. There is a login for an owner and a tech. Both should be changed.

3) There is a remote control password that can be enabled on the owner information screen on most of our equipment. This would prevent the issuing of remote control commands without the use of this 4-digit pin.

Thanks Kris. I had wondered about the default logins being able to be changed, as I assumed that every machine had the same login, and that may not be the most secure thing. It is good to know that this can actually be done. Would this be something I would contact PDQ for, or can it be done on an user level?

 

[koliver]

You should be able to make the changes yourself. If you have any questions, don't hesitate to give our tech service group a call and they can walk you through this.