This project exists to document and demonstrate vulnerabilities in wireless payment terminals used by commercial laundry equipment. The goal is responsible disclosure and improved security for all users.
The research covers:
- BLE GATT communication between mobile apps and payment terminals
- Firebase Realtime Database access controls
- Authentication token handling and credential storage
- Device provisioning and secret management
| ID | Severity | Summary |
|---|---|---|
| AW-01 | Critical | Device activation secrets stored in plaintext in Firebase and never rotated |
| AW-02 | High | BLE commands transmitted as cleartext ASCII with no encryption or signing |
| AW-03 | High | No mutual authentication between app and terminal |
| AW-04 | Medium | Firebase database rules allow any authenticated user to enumerate all locations |
| AW-05 | Medium | No coupling between payment confirmation and physical activation command |
If you discover additional vulnerabilities, please report them to the equipment vendor before publishing. Allow a reasonable remediation window (90 days is standard).
This tool is provided for authorized security research only. Users are responsible for ensuring they have proper authorization before testing any systems they do not own.