Researchers say they have found a way to hack an internet-enabled carwash and make it “attack” users.
They warned criminals could easily exploit the Laserwash car washes, making their doors close too early or their roller arms crush the tops of cars.
They also claimed the manufacturer PDQ ignored warnings about the risks for two years.
PDQ said it was urgently investigating the issues.
Laserwash installations can be remotely monitored and controlled by their owners via a web-based user interface.
However, in a presentation at the Black Hat conference in Las Vegas, Billy Rios of security firm Whitescope and Jonathan Butts from the International Federation for Information Processing showed how easily the system could be hijacked.
Firstly, they warned that Microsoft no longer supported the washers’ Windows Embedded Compact control systems.
So hackers might be able to exploit hidden loopholes.
More worryingly, they managed to hack into an actual carwash by using the default password “12345”.
Once logged in they found they could control it in a dangerous manner.
“We’ve written an exploit to cause a car wash system to physically attack; it will strike anyone in the car wash,” Mr Rios said.
In their talk the pair showed how they would be able to close carwash doors on a car entering the washer.
They also showed how they could make the roller arms “come down much lower” and crush the roof of a car, provided there were no mechanical barriers in place.
The pair shared their findings with PDQ in February 2015, but the firm only replied to their emails this year.
In an email to The Register website, PDQ spokesman Todd Klitzke said the firm had alerted its customers.
“As we have advised… all systems – especially internet-connected ones – must be configured with security in mind.
“This includes ensuring that the systems are behind a network firewall, and ensuring that all default passwords have been changed.”
In a separate incident, a nine-year-old boy is facing charges in the US after an Amazon Alexa device captured his voice during a burglary.
The Alexa is a smart speaker that can be voice activated.
According to the Gloucester Times, items including an iPhone, cash and an Alexa were stolen from a woman’s home in Massachusetts.
The homeowner subsequently gave police an Alexa audio recording alleged to sound like her neighbour’s son.
After police spoke to the child, he admitted to breaking into the woman’s home on three separate occasions, the paper reported.
The boy, who has returned all of the stolen goods, will face charges in juvenile court.