The security problems found in internet-enabled medical equipment and cars in recent years have raised a lot of awareness about the public safety risks of connected devices. But it's not just life-saving implements and fast-moving vehicles that pose potential harm.

A group of security researchers have found vulnerabilities in internet-connected drive-through car washes that would let hackers remotely hijack the systems to physically attack vehicles and their occupants. The vulnerabilities would let an attacker open and close the bay doors on a car wash to trap vehicles inside the chamber, or strike them with the doors, damaging them and possibly injuring occupants.

"We believe this to be the first exploit of a connected device that causes the device to physically attack someone," Billy Rios, the founder of Whitescope security, told Motherboard. Rios conducted the research with Jonathan Butts of QED Secure Solutions. They plan to discuss their findings this week at the Black Hat security conference in Las Vegas.

Rios, working at times alone and with colleagues, has exposed many security problems over the years in drug-infusion pumps that deliver medicine to hospital patients; in airport x-ray machines designed to detect weapons; and in building systems that control electronic door locks, alarm systems, lights, elevators, and video surveillance cameras.

An attacker can send an instantaneous command to close one or both doors to trap the vehicle inside, or open and close one door repeatedly to strike the vehicle a number of times as a driver tries to flee.

This time his focus was on the PDQ LaserWash, a fully-automated, brushless, touchless car wash system that sprays water and wax through a mechanical arm that moves around a vehicle. PDQ car washes are popular throughout the US because they don't require attendants to operate. Many of the facilities have bay doors at the entrance and exit that can be programmed to automatically open and close at the start and end of a day, and a touchscreen menu that allows drivers to choose their cleaning package without interacting with any workers.

The systems run on Windows CE and have a built-in web server that lets technicians configure and monitor them over the internet. And herein lies the problem.

Rios says he became interested in the car washes after hearing from a friend about an accident that occurred years ago when technicians misconfigured one in a way that caused the mechanical arm to strike a minivan and douse the family inside with water. The driver damaged the vehicle and car wash as he accelerated quickly to escape.

A successful trip through the car wash. Researchers could not obtain permission to publish video of the hack from car wash owners.

Rios and McCorkle examined the PDQ software two years ago and presented their findings about vulnerabilities at the Kaspersky Security Summit in Mexico in 2015. Although they believed the vulnerabilities would allow them to hijack a system, they weren't able to test the theory against an actual car wash until this year when a facility in Washington state agreed to cooperate, using the researchers' own pickup truck as the victim.

Although the PDQ systems require a username and password to access them online, the default password is easily guessed, the researchers said. They also found a vulnerability in the implementation of the authentication process, making it possible to bypass it. Not all PDQ systems are online, but the researchers found more than 150 that were, using the Shodan search engine that searches for devices connected to the internet, such as webcams, printers, industrial control systems, and, in this case, car washes.

They could also manipulate the mechanical arm to hit the vehicle or spew water continuously, making it difficult for a trapped occupant to exit the car.

They wrote a fully automated attack script that bypasses authentication, monitors when a vehicle is getting ready to exit the wash chamber and cause the exit door to strike the vehicle at the appropriate time. All an attacker has to do is choose the IP address for the car wash they want to attack, then launch the script. The car wash's software tracks where a carwash is in its cycle, making it easy to know when the wash is about to end and a vehicle to exit. An attacker can send an instantaneous command to close one or both doors to trap the vehicle inside, or open and close one door repeatedly to strike the vehicle a number of times as a driver tries to flee.

Although infrared sensors detect when something is in a door's path to prevent this from happening, the researchers were able to cause the system to ignore the sensors. They could also manipulate the mechanical arm to hit the vehicle or spew water continuously, making it difficult for a trapped occupant to exit the car. They didn't try this during their live tests, however, to avoid damaging the arm.

A software-based safety mechanism prevents the arm from hitting a vehicle normally, but they were able to disable this, too.

"If you're relying purely on software safety, it's not going to work if there's an exploit in play," Rios said in an interview. "The only thing that's going to work [in this scenario] is hardware safety mechanisms."

Although the researchers filmed the tests with a mobile phone, the car wash owner won't let them publish the video.

This isn't the first time someone has hijacked a robotics system. In May, researchers at Trend Micro showed how they could recalibrate a robotic arm used in manufacturing plants to alter its movement. But the car wash attack has "broader potential impact to the masses," Rios said. "There aren't actually that many things … that are in the public space… and can [be made to] hit you."

The researchers reported their findings to the Department of Homeland Security and the vendor and are releasing a report this week in conjunction with their Black Hat talk.

A spokesperson for PDQ told Motherboard in an email that it is "aware" of the Black Hat talk and is working on investigating and fixing the security issues with the system.

"All systems—especially internet-connected ones—must be configured with security in mind," Gerald Hanrahan of PDQ wrote. "This includes ensuring that the systems are behind a network firewall, and ensuring that all default passwords have been changed. Our technical support team is standing ready to discuss these issues with any of our customers."