
Dishwasher has directory traversal bug - protomyth
https://www.theregister.co.uk/2017/03/26/miele_joins_internetofst_hall_of_shame/?mt=1490573864407
======
cperciva
Remember, the S in IoT stands for "Security".

------
edmccard
If you're wondering what this "dishwasher" (actually a laboratory glassware
washer) really looks like, here's its product page:

[http://www.miele-pro.com/us/prof/products/14071_16161.htm](http://www.miele-
pro.com/us/prof/products/14071_16161.htm)

------
hoodoof
How does your dishwasher get onto your home network?

~~~
wapz
When you follow the directions to set it up.. I'm not sure if that was a
serious question or not.

------
peterwwillis
Anyone who buys a networked home appliance really deserves any problems they
create. But unfortunately, they'll eventually affect all the people who didn't
buy them, too.

~~~
aptwebapps
Someday soon the salesperson will ask you, "Botnet or no botnet?"

Actually, they'll probably start trying to sell you copies of Norton or McAfee
to keep it "safe" ...

~~~
a3n
I wonder when my clothes are going to start tweeting about when they were
cleaned. "Washed in my General Electric" like "Sent from my iPhone."

------
aptwebapps
Seems like there might be a market for some sort of universal IoT base unit
that could be sold and maintained by someone who knew what they were doing. It
could have a simple userland API and a simple external API, REST or otherwise,
and OTA update capability. We need a (competent) Cisco for IoT devices.

All of these various manufacturers are never going to get their act together.
Even if they do, individually, the additional costs are likely to make them
less competitive.

~~~
netsharc
Fascinating idea... offer GPIO ports to read (and write) signals, offer cheap
models ("2 GPIO ports? You got it!") to enterprise ones ("You want 1024 GPIO
ports? You got it!").

And sell the backend solution too for enterprises, and offer a hosting
solution for small scaled deployments. There's definitely a market for that.

And imagine if you're the Mark Zuckerberg ("They 'trust me'. Dumb f*cks.") of
all these devices. All that data...

------
DigitalSea
Why does everything need to be connected to the internet? Whatever happened to
just adding in a USB port or something so you can download the data if you
need it? Add in some storage and surely, a dishwasher doesn't need much
storage so it would alleviate the problem and surely be cheaper not having to
licence wifi.

~~~
bschwindHN
Why does a dishwasher need to have "storage" at all?

~~~
wapz
This is a medical dishwasher that keeps logs of all the washes (required by
hospitals somewhere). I do hope they are only used on private networks but I
don't know web security at all so I don't even know if that would protect
them.

------
flukus
What's the value of an internet connected dishwasher? All I can think of is
remotely starting it, but all the real world applications of this could be
handled by a delay start button. The other would be to tell you when it's
done, which isn't really something I've ever been concerned about.

Even industrial washers that require reporting on temperatures reached and
stuff like that don't really benefit from a connection.

~~~
catmanjan
I can see how load/fault data would be valuable to the manufacturer, but to a
consumer...?

------
blisterpeanuts
Why connectivity for a dishwasher? I can think of one or maybe two scenarios:

1 - send the owner an urgent email in the event of catastrophic failure, i.e.
drain blockage which might lead to overflow all over the kitchen floor.

2 - let owner know status of current cycle, in real time. Some people might
like to know that, though I'm not sure why. Usually you run the dishes at
night or during some open ended period of time so you don't have to care when
it finishes.

You could theoretically control the appliance with a computer or mobile
device. Why would you want to? Beats me, but it's one of those gimmicks that
might please some gadget-happy segment of the consumer market.

What evil things could a hacker do to your dishwasher? Make it start in the
middle of the night? Ruin the delicate plastic stuff?

I'd personally be very happy just to own a dishwasher that actually cleans
stuff. I've had several dishwashers and have yet to see one that cleans as
well as I can with my Scotch blue pad and Ajax.

~~~
flukus
> What evil things could a hacker do to your dishwasher? Make it start in the
> middle of the night? Ruin the delicate plastic stuff?

Waste a lot of water/electricity. Run cold water only so it doesn't disinfect.
Use it as a platform to attack other household devices. Most hackers would
only have a motivation for the latter.

~~~
taneliv
Or distribute illegal material.

------
crwalker
The FDA requires information panel labeling for most food: I think it's
reasonable to want to know roughly what we're eating.

I would not be surprised to see similar printed labeling requirements for IoT
devices, in bite sized chunks that are more standardized than a device-
specific EULA, e.g.:

This device runs on:

    
    
      firmware A (unaudited)
      web server B (UL approved)
      update expiry date: Jan 1, 2020
    

This device may:

    
    
      capture video, sound, and/or user input
      send user data to our servers
      send aggregated user data to 3rd parties

~~~
microcolonel
I think the solution is much simpler: don't put an open web server in your
dishwasher, and use standard authenticated, encrypted channels between the
application and the appliance so that at least only somebody with credentials
can use your dishwasher an espionage device.

And failing that, some _Good Old All-American Common Law_ suits should do the
industry a world of good. This product surely has an implied warranty of some
kind.

~~~
norea-armozel
Or even simpler: don't put any kind of writable software/firmware on the
dishwasher in the first place. Beyond maybe some scheduled washing options,
why does a dishwater need to be IoT'd? Seriously, I think all this is meant to
pad the price of the appliances rather than give users an actual working
product.

~~~
dom0
This is a professional machine. See
[https://www.miele.de/professional/grossraum-reinigungs-
und-d...](https://www.miele.de/professional/grossraum-reinigungs-und-
desinfektionsautomaten-560.htm?mat=10339600&name=PG_8528)

Having an API totally makes sense here to have monitoring and error reporting.

~~~
norea-armozel
I can totally see something like that needing full programmatic capability,
but anything consumer grade should be read-only in terms of functionality. A
refrigerator in my home kitchen doesn't need an API to maintain temperature
within an acceptable range vs electrical consumption where as a warehouse
refrigerator does (like those that might be part of a smart grid agreement to
give over control to utilities with a price discount as a benefit).

------
_xgw
What's the worst thing that could happen from someone exploiting this
vulnerability?

~~~
crystalPalace
A malicious actor could add the dishwasher to their botnet and conduct DDOS
attacks or distribute spam. You could also use the server as a proxy or as an
attack vector into whatever network the dishwasher is connected to.

~~~
aptwebapps
As long as we're speculating, depending on the controls afforded, you could
possibly break it or damage a load. Could even be a bit dangerous.

------
markwakeford
This is a commercial medical laboratory Washer-disinfector. The reporting is
most likely mandated based on its usage in a medical setting. Some of these
devices print out reports that are required to be stored. I suppose this would
allow them to easily keep those records paperless.

I am in no way justifying the lack of security but I think its important to
understand that its unlikely to be opened up for a free for all connected to
the public internet.

~~~
kijin
> its unlikely to be opened up for a free for all connected to the public
> internet.

Unfortunately, that kind of thought process is how you end up with dozens of
vulnerable devices connected to a hospital intranet. Everything works fine as
long as nobody tries anything fishy, but all you need is one device with a
buggy Bluetooth implementation to bring down the whole house of cards and kill
a bunch of people.

~~~
i336_
Apologies for my denseness, but how could buggy Bluetooth bring everything
down?

I vaguely recall something about a faulty hospital device with Bluetooth or
Wi-Fi being posted here a little while ago, but I'm not certain.

~~~
kijin
Buggy means vulnerable in this context. A vulnerability in the Bluetooth or
Wi-Fi stack is a good way for someone to compromise a machine remotely.

Once you compromise one machine, you're inside the firewall and in a much
better position to exploit vulnerabilities in other machines in the network.

