A pair of university students say they found and reported earlier this year a security flaw allowing anyone to avoid paying for laundry provided by over a million internet-connected laundry machines in residences and college campuses around the world.

Months later, the vulnerability remains open after CSC ServiceWorks repeatedly ignored requests to fix the flaw.

UC Santa Cruz students Alexander Sherbrooke and Lakov Taranenko told TechCrunch that the vulnerability they discovered allows anyone to remotely send commands to laundry machines run by CSC and operate laundry cycles for free.

Sherbrooke said he was sitting on the floor of his basement laundry room in the early hours one January morning with his laptop in hand and “suddenly having an ‘oh s—’ moment.” From his laptop, Sherbrooke ran a script of code with instructions telling the machine in front of him to start a cycle despite having $0 in his laundry account. The machine immediately woke up with a loud beep and flashed “PUSH START” on its display, indicating the machine was ready to wash a free load of laundry.

Continue reading on TechCrunch