Dishwasher has directory traversal bug

Thanks a Miele-on for making everything dangerous, Internet of Things firmware slackers


Don't say you weren't warned: Miele went full Internet-of-Things with a network-connected dishwasher, gave it a web server, and now finds itself on the wrong end of a security bug report – and it's accused of ignoring the warning.

The utterly predictable vulnerability advisory on the Full Disclosure mailing list details CVE-2017-7240 – aka "Miele Professional PG 8528 - Web Server Directory Traversal.” This is the builtin web server that's used to remotely control the glassware-cleaning machine from a browser.

“The corresponding embedded Web server 'PST10 WebServer' typically listens to port 80 and is prone to a directory traversal attack, therefore an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks,” reads the notice, dated Friday.

Proving it for yourself is simple: Using a basic HTTP GET, fetch...

/../../../../../../../../../../../../etc/shadow

...from whichever IP address the dishwasher has on your network to reveal the shadow password file on its file system. That's pretty sad.

Directory traversal attacks let miscreants access directories and data they really shouldn't be able to reach, such as sensitive configuration files and similar stuff. This information can be exploited to potentially wrest control of the at-risk system. In other words, you can use this traversal vulnerability to gain a foothold to potentially hijack the machine and infect it with malware.

It's unclear which libraries or software components Miele used to craft the web server in the dishwasher's firmware. The PG 8528, which boasts "remote service" features and is designed for restaurants and bars, appears to be running a form of embedded Linux. Without a fix from the vendor – for a professional dishwasher – the best option is to make sure the appliance isn't exposed directly to the internet, or otherwise firewall it off from other devices.

And because Miele is an appliance company and not a pure-play IT company, it doesn't have a process for reporting or fixing security bugs. The researcher who noticed the dishwasher's web server vuln – Jens Regel of German company Schneider-Wulf – complains that Miele never responded when he contacted the biz with his findings; he says his first contact was made in November 2016.

Appliance makers: stop trying to connect stuff to networks, you're no good at it. ®

Bootnote

The researcher who discovered the bug, Jens Regel, has stressed that the vulnerable Miele unit is not a household dishwasher, but a commercial-level washer and disinfector. To our mind, that's as bad, if not worse: it's a vulnerability in a business-critical device, still without appropriate attention or responsiveness to security issues.


Other stories you might like

  • It's one thing to have the world in your hands – what are you going to do with it?

    Google won the patent battle against ART+COM, but we were left with little more than a toy

    Column I used to think technology could change the world. Google's vision is different: it just wants you to sort of play with the world. That's fun, but it's not as powerful as it could be.

    Despite the fact that it often gives me a stomach-churning sense of motion sickness, I've been spending quite a bit of time lately fully immersed in Google Earth VR. Pop down inside a major city centre – Sydney, San Francisco or London – and the intense data-gathering work performed by Google's global fleet of scanning vehicles shows up in eye-popping detail.

    Buildings are rendered photorealistically, using the mathematics of photogrammetry to extrude three-dimensional solids from multiple two-dimensional images. Trees resolve across successive passes from childlike lollipops into complex textured forms. Yet what should feel absolutely real seems exactly the opposite – leaving me cold, as though I've stumbled onto a global-scale miniature train set, built by someone with too much time on their hands. What good is it, really?

    Continue reading
  • Why Cloud First should not have to mean Cloud Everywhere

    HPE urges 'consciously hybrid' strategy for UK public sector

    Sponsored In 2013, the UK government heralded Cloud First, a ground-breaking strategy to drive cloud adoption across the public sector. Eight years on, and much of UK public sector IT still runs on-premises - and all too often - on obsolete technologies.

    Today the government‘s message boils down to “cloud first, if you can” - perhaps in recognition that modernising complex legacy systems is hard. But in the private sector today, enterprises are typically mixing and matching cloud and on-premises infrastructure, according to the best business fit for their needs.

    The UK government should also adopt a “consciously hybrid” approach, according to HPE, The global technology company is calling for the entire IT industry to step up so that the public sector can modernise where needed and keep up with innovation: “We’re calling for a collective IT industry response to the problem,” says Russell MacDonald, HPE strategic advisor to the public sector.

    Continue reading
  • A Raspberry Pi HAT for the Lego Technic fan

    Sneaking in programming under the guise of plastic bricks

    There is good news for the intersection of Lego and Raspberry Pi fans today, as a new HAT (the delightfully named Hardware Attached on Top) will be unveiled for the diminutive computer to control Technic motors and sensors.

    Continue reading

Biting the hand that feeds IT © 1998–2021