This is the dishwasher with an unsecured web server we deserve

Why wouldn't you want to have your restaurant's dishwasher hooked onto the internet at large?
Written by Chris Duckett, Contributor
(Image: Miele)

In 2017, previous prognostications of Refrigergeddon -- where the internet of vulnerable things begins to turn malicious -- may have landed on the wrong whitegood, with manufacturer Miele showing how Washergeddon could start.

Over the weekend, CVE-2017-7240 appeared from Jens Regel of Schneider & Wulf, who said he found a directory traversal vulnerability on a Miele Professional PG 8528 appliance.

"The corresponding embeded webserver 'PST10 WebServer' typically listens to port 80 and is prone to a directory traversal attack, therefore an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks," Regel said.

According to Regel, he was able to request the embedded system's shadow file -- and by extension any file on the filesystem -- and after making contact with Miele, did not hear back from them for over three months.

"We are not aware of an actual fix," Regel wrote.

On the Miele page for the product in question, it describes how an ethernet connection is used to retrieve text reports from the machine.

"The ethernet interface is the universal solution for data exchange," it states. "In comparison with other interfaces the user is offered a particularly high level of functionality."

Each washer comes with a 5m cable to allow the device to have connectivity, with the product's user manual offering these reassuring words: "Only Miele Technical Service may connect the cable to another interface".

The security situation of IoT is unlikely to improve anytime soon, with Mikko Hyppönen, chief research officer at F-Secure, saying last week manufacturers will continue putting cheap hardware into their devices to collect data.

"The price of turning a dumb device into a smart device will be 10 cents," Hyppönen said.

"It's going to be so cheap that vendors will put the chip in any device, even if the benefits are only very small. But those benefits won't be benefits to you, the consumer -- they'll be benefits for the manufacturers because they want to collect analytics."

"The IoT devices of the future won't go online to benefit you -- you won't even know that it's an IoT device."

Whenever the Washergeddon cycle begins, one thing is clear, it is not going to be pretty.

Editorial standards