back to article Dishwasher has directory traversal bug

Don't say you weren't warned: Miele went full Internet-of-Things with a network-connected dishwasher, gave it a web server, and now finds itself on the wrong end of a security bug report – and it's accused of ignoring the warning. The utterly predictable vulnerability advisory on the Full Disclosure mailing list details CVE- …

Page:

  1. Gene Cash Silver badge

    [checks date - nope, not April 1st]

    [mixes very large drink - ponders 35 year old dishwasher run by clockwork]

    I'll just mention these twits are @MieleProf, @MielePro_GB, @MieleProUSA, @Miele_Press, @Miele_GB, and @MieleUSA. Yup, they're Web 2.0 run rampant.

    1. big_D Silver badge

      If so-called tech companies give up on patching a smartphone after 3 - 6 months in many cases, what chance does an IoT white good have in 10 to 20 years?

      In most cases, there just isn't any benefit to having white goods attached to the internet. What is it supposed to tell me? I can't start it until I have manually filled it up and it already turns itself off, when it is finished.

      Mine has a little light for salt and another for clear rinse, which light up when they need refilling... I just don't see the need for these things.

      1. Anonymous Coward
        Anonymous Coward

        its obviously on the dirty network

        and just as bad as all the connected cars - I have to pay £90 to just to update maps on mine let alone all the other crud/bloat attempting to become a subscription to tat service I already have perfectly well delivered on my phone for no extra charge.

        Why not just go old-school and give it a digital display!

        1. Spudley

          Re: its obviously on the dirty network

          and just as bad as all the connected cars - I have to pay £90 to just to update maps on mine

          We're straying off topic, but yeah, mine too. I laughed at them on the phone when they tried to tell me that price. I would say it's a racket, and it would be if they actually got anyone paying for these updates. But why would you do that when you can buy a new TomTom or Garmin for half that price, including updates, and with a better user interface.

          So not a racket; maybe just plain stupidity? If they're trying to sell the updates as a product, then they've clearly missed that lesson in high-school economics about supply and demand -- if they cut the price to £25, it's a pretty good bet they'd get more than four times as many sales. It's obvious really, so why do they price it so high?

          So not a racket and not stupidity. It's actually planned obsolescence. They don't want people to update the maps because they want them to go out of date. Because that will make the whole car feel more dated, which will prompt us to replace the car with a new one sooner than we might have done otherwise.

          Quite clever really. Depressingly cynical, but clever.

          1. regregular

            Re: its obviously on the dirty network

            Actually, they are milking the used car market. At least that is the reason I suspect for the higher end cars from volume manufacturers / the entire fleet from premium manufacturers.

            Most people who get to buy a brand new car and spec it to their needs automatically receive a "all-inclusive" deal for Telemetrics and Updates for 3-5 years. That is the deal for BMW and Mercedes, I would assume similar deals for other brands.

            The folks who can afford to buy those brandnew will evntually, usually well within the free period, move on to a different brand car or a newer model, releasing the car to the used car market. And that is why this racket will keep working. Corporate does not care about a second hand owner, because they regularly do not earn any money with him. Second hand owner might shell out the cash for a update grudgingly, but will surely take oil changes and repairs or tire changes to the bloke round the corner. The only person to be taken seriously when bitching about this is first hand buyer, and he never noticed the racket due to his free period.

            It's quite well played...

            1. Anonymous Coward
              Anonymous Coward

              Re: its obviously on the dirty network

              Actually, they are milking the used car market. At least that is the reason I suspect for the higher end cars from volume manufacturers / the entire fleet from premium manufacturers.

              Remind me of an article I read a few days ago about people hacking their tractorsbecause of DMCA abuse to stop the use of non-original parts.

              It appears the scope of this ought to be extended considerably, provided it can be done responsibly (the use inferior or even unsuitable materials can create a non-trivial risk). I always found the high cost of on-board GPS a bit artificial anyway, making updates cost so much strikes me as doubling the abuse.

              1. regregular

                Re: its obviously on the dirty network

                The article is indeed along similar lines, at least in terms of manufacturer strategy, although the deal with farm machinery is different - a purchase like that usually remains in use longer than passenger vehicles, and they don't change hands like used cars do.

                And yes, the same tricks are deployed by some car brands, and it is not even about cheap unsafe knock-off parts. There are ways to actually block minor, simple repairs / maintenance. Examples: BMW requires new batteries to be "learned" into the system after replacement, after an oil change the "nag counter" has to be reset etc. If access there is blocked your car might be just fine but keeps nagging you. Worse than that is automatic parking brake setting on some brands which can make replacing brake rotors / pads a pain, a dealership will just hook up their diagnostic tool and tell it to release the parking brake.

                This is not a safety "feature" but an attempt to lock people into the dealership rates, with ridiculous parts markups and hourly rates. Thankfully, for most of these nuisances the aftermarket quickly finds workarounds or hacks because demand is high.

          2. JimmyPage Silver badge
            Stop

            Re: you can buy a new TomTom or Garmin for half that price

            Why ?

            For the past 3 years I have happily used a smartphone for SatNav. My 2 Garmins (I had a stolen one returned by the police after I bought a second) sit in a drawer .....

            1. H.Winter

              Re: Why? (you can buy a new TomTom or Garmin for half that price)

              I much prefer a dedicated GPS device I can leave plugged into my vehicle for 2 reasons, no draining the battery on my phone, and I leave GPS/location services turned off on my phone.

      2. Named coward

        what chance does an IoT white good have in 10 to 20 years?...you really think modern white goods are made to last 10-20 years?

        1. Anonymous Coward
          Anonymous Coward

          "you really think modern white goods are made to last 10-20 years?"

          Yes. Some still are, as they've always been, and eg by the brand in question.

          https://www.miele.co.uk/domestic/enjoy-a-10-year-peace-of-mind-with-miele-3943.htm

          Not everything containing electronics is made by Apple. Miele is not trying to peddle you a new washing machine every year when the last model is out. They might suck at webservers, the rest of the hardware is still good.

          1. snoggs
            Thumb Up

            Non-obsolescence

            I bought my Miele dishwasher, washer, and dryer 17 years ago. They work great and never waste time on the Internet.

            1. Anonymous Coward
              Terminator

              Re: Non-obsolescence

              I bought my Miele dishwasher, washer, and dryer 17 years ago. They work great and never waste time on the Internet.

              Hah! Your next one will be busy cruising the IoT web and downloading machine-porn instead of working.

          2. Anonymous Coward
            Anonymous Coward

            "you really think modern white goods are made to last 10-20 years?"

            Yes, I do. In fact I'd say the design was defective if it didn't last at least 10 years.

            I *thought* our 8 year old dishwasher had died a few weeks ago when it decided to wet the kitchen floor. After getting out a screwdriver and spending an hour digging around, I managed to establish that the tube leading to the pressure switch that detects the water level was clogged up with gunk. 15 minutes later, I'd cleaned the part and the dishwasher was fully functional again.

            Saying that, like most things nowadays, the dishwasher was designed to a size envelope, not for repairability, so the job *could* have been easier, at the expense of the dishwasher not fitting into a standard sized hole.

        2. Hollerithevo

          Maytag does

          Our trusty stacking Maytag washer/dryer finally bit the dust after 17 years. Imported from the USA and sadly no longer made, so I had to settle for a Bosch that takes twice and long and doesn't dry the damn clothes properly. Let's see if these get to 7 years, let alone 17.

          1. Anonymous Coward
            Anonymous Coward

            Re: Maytag does

            I had to settle for a Bosch that takes twice and long and doesn't dry the damn clothes properly

            IME, Bosch (or rather BSH) machines are far, far better at washing than the Victorian junk peddled by Maytag. On the matter of drying, they certainly will stop you before you can bake every milligram of water from the clothing. But baking your clothes old style simply means they re-asorb water from the atmosphere the moment they comes out of the machine (as well as being irretrievably creased).

            YMMV.

        3. scooternusa

          My circa 2003 General Electric dishwasher is still humming along like a champ fourteen years and counting without a single service call. Best dishwasher I've ever owned.

          1. FuzzyTheBear

            Whirlpool Hobart been in the house since 1978 . Never failed once yet ... Norge fridge dated 1949 also still on the job. They made em to last a lifetime indeed and agreed Miele is doing great quality ,imho , professional stuff , the network plug is one too many.

      3. Anonymous Coward
        Anonymous Coward

        big_D: "In most cases, there just isn't any benefit to having white goods attached to the internet. What is it supposed to tell me? I can't start it until I have manually filled it up and it already turns itself off, when it is finished."

        ... You appear to be looking for something that would be a benefit to you. Please make no mistake, in a lot of cases IoT is not about consumer benefit, it's about them:

        - Making it stand out in the store -- It has to have a bigger LCD panel than the competitors model and some bright animation playing on it to draw you in - things that are actually no benefit to you, but higher numbers and larger sizes sell even when they are not relevant. I imagine that once more than half of dishwashers have a screen on them, there will even be some poor folk who will not consider buying one without a screen, even if they don't know why.

        - Letting them know how you use it -- They need to know when the salt is low, whether you skip putting rinse aid in, when it's due for a service etc. They can even kindly let you know after 11 months that you in fact bought the wrong model because you do two washes per day and as it happens they have made a newer model with a quicker wash cycle. How great would it be to have a d/w less than a year old displaying an advert for the d/w it wishes it was. And you can bet all those variables will be added into warranty contract so it's easier for them to say it's your fault the d/w broke because you used Aldi rinse aid, didn't top up the salt, and you should have bought the model which was fit for your usage case.

        The possibility that it might be some use to you during your period of ownership is the last thing they think about.

        1. fajensen
          Terminator

          Please make no mistake, in a lot of cases IoT is not about consumer benefit, it's about them:

          If "they" build a spectrometer into the unit, they can analyse the food you are eating and propose healthy options (while secretly procuring a life insurance on you before grassing you up to the insurers).

          If you use your machine for washing laboratory glassware, they can see what you are working on and front-run your patents - or narc on you.

        2. Anonymous Coward
          Anonymous Coward

          IoT is not about consumer benefit, it's about them:

          Put an LCD screen on the front and push out ads to your appliance?

          You know it's going to happen - unless it already is.

      4. JLV

        If it wasn't for a general dropping trend in burglary rates, then such unprotected devices would be very useful when casing houses, just by peeking at their usage. Script kiddie skill only.

        Assume a dishwasher runs once every 1-2 days. A house in summer time with more than a week since the last load is likely empty. Add that police, logically enough, typicallly don't prioritize responding to burglar alarms and you have 15-20 minutes to loot.

        1. Kiwi

          Add that police, logically enough, typicallly don't prioritize responding to burglar alarms and you have 15-20 minutes to loot.

          Even worse.. How many routers damn near automatically trust any access to their config system from inside the local network? These days, how many people are hooking their alarm and camera systems up to said router?

          Oh, and there's those nice doorlocks that talk to your phone via bluetooth or the local WiFi (if you're close enough to be on your local net, you're close enough for the door to be unlocked), and other ones that use NFC/RFID.. All of which are configured by a HTML/JS-based app on the device's internal webserver, which of course talks to anything in the localnet IP range...

          If you can run arbitrary code on a device linked to the local lan, it's feasible now in a lot of homes that you can take over the security of the home. And heating and other devices as well. Why, you could totally piss the owners off by starting their web-enabled at a time other than when they specified!

    2. Wensleydale Cheese

      This one gets my vote for Headline of the Year

      "[checks date - nope, not April 1st]:

      Still chuckling, as I type.

    3. The Man Who Fell To Earth Silver badge
      FAIL

      Can't find the IP Address of my pitchfork

      Guess it won't work now...

      1. herman

        Re: Can't find the IP Address of my pitchfork

        Well, what did you expect? You didn't pay for the updates to your pitchfork, so now the internet access expired. That's why, you cheapskate...

      2. David 132 Silver badge
        Joke

        Re: Can't find the IP Address of my pitchfork

        Dunno about my pitchfork, but this IoT madness has certainly spread to other things in my garden - I have a tree with root capability, and to make matters worse it runs on SAP...

    4. J. R. Hartley

      Web2.0rrhea at its finest.

    5. Kiwi
      Coat

      [checks date - nope, not April 1st]

      Actually, it is.

      Though I took 5 days to get around to reading this story...

  2. J P

    Bewildered. (That's grown-up speak for "wtf")

    Before I get too many downvotes, I do have tongue more or less in cheek on the title - but what follows is 100% serious.

    Until we have self loading dishwashers, how can they need internet access? We don't run them til they're loaded. Humans load them. Once they're full, we set them off. If we don't want them to clean the dishes straight away, they have a "delay" feature so we can run them when the Economy7 has kicked in/while the sun's up and our solar panels are providing the juice.

    Us humans put the salt, tablets & rinse-aid in. Needing internet access to order more rinse-aid etc when it's running low is (until the manufacturers can be trusted with anything sharper than a crayon or warmer than a cushion) a decidedly sub-optimal path.

    So why on earth do we need internet enabled dishwashers? "Because we can" is a valid human argument for scaling Everest (for those humans so inclined/capable) but letting household appliances loose on the internet "because we can" (rather than "because we need to") is lazy, foolish & pointless.

    1. aberglas

      Re: Bewildered. (That's grown-up speak for "wtf")

      To misquote Edmond Hillary, They are connected to the internet because it (the internet) is there.

      They can, um, ping your iphone when the dishes are done. Let you check that the kids have run the dishwasher from work. Keep statistics about powder usage. Disable the machine if it is found to be used by terrorists. The possibilities are only limited by your imagination...

      The next dishwasher that I buy will certainly be connected to the Internet of Things ... because I won't have any choice.

      1. JeffyPoooh
        Pint

        Re: Bewildered. (That's grown-up speak for "wtf")

        "The next dishwasher that I buy will certainly be connected to the Internet of Things ... because I won't have any choice."

        If you simply fail to inform your inevitable IoT dishwasher of the password for your household Wi-Fi hotspot, then it's significantly less likely to actually connect.

        If your dishwasher starts cracking router passwords, then it's time to call in Sarah Conner.

        1. Charles 9

          Re: Bewildered. (That's grown-up speak for "wtf")

          "If you simply fail to inform your inevitable IoT dishwasher of the password for your household Wi-Fi hotspot, then it's significantly less likely to actually connect."

          Unless, of course, it's able to use a whispernet.

          1. Number6

            Re: Bewildered. (That's grown-up speak for "wtf")

            Provided I can disassemble it and use wirecutters on the interface before it can send out a distress call then I win. Always assuming there isn't some sort of deaddishwasher's switch.

            I only have one IoT thing on the property and that's squirrelled away on its own subnet so in theory it can talk to the rest of the world but not my local network. Given how crap the associated cloud-based website is (slower than a glacier), I'm sorely tempted to see if I can reverse-engineer the protocol and hack it to talk only to something under my control.

            1. Paul Smith

              Re: Bewildered. (That's grown-up speak for "wtf")

              "Provided I can disassemble it and use wirecutters on the interface " - You clearly haven't read the DCMA small print. That is a deliberate attempt to circumvent the copyright holders rights and could get you 20 years of in the pokey.

        2. aberglas

          Re: Bewildered. (That's grown-up speak for "wtf")

          "If you simply fail to inform your inevitable IoT dishwasher of the password for your household Wi-Fi hotspot, then it's significantly less likely to actually connect."

          After 30 days being unable to check for software updates it will refuse to run at all. An essential safety feature to keep you safe.

          1. Anonymous Coward
            Anonymous Coward

            Re: Bewildered. (That's grown-up speak for "wtf")

            "After 30 days being unable to check for software updates it will refuse to run at all. An essential safety feature to keep you safe."

            And after another 180 days there will be no more software updates as the next generation model is released.

            On the point of phoning home is there any evidence yet of IoT devices that have no functional purpose connecting to internet, bricking because of a lack of internet access?

        3. Not That Andrew
          Windows

          Re: Bewildered. (That's grown-up speak for "wtf")

          It will probably just connect automatically to next door's BT wifi hotspot

        4. JPWhite

          Mr

          Miele to Comcast.

          Hey we've noticed a lot of WiFi routers with the Xfinity SSID. We are wiling to pay you x thousands of dollars per year for access to that network.

          Comcast to Miele

          OK your checked cleared, here is how you access the network.....

          Customer installs dishwasher, dishwasher sees Xfinity SSID broadcast by customers neighbor. Dishwasher connects and calls home.

        5. KLane

          Re: Bewildered. (That's grown-up speak for "wtf")

          I just set up a cheap WiFi router with no WAN connection, and connect anything that doesn't need outside world access to that. They can talk to each other all they want.

        6. JeffyPoooh
          Pint

          Re: Bewildered. (That's grown-up speak for "wtf")

          Me "...time to call in Sarah Conner."

          Funny picture: http://tinyurl.com/SarahConnerLOL

          A picture of The Terminator confused by a Captcha.

      2. Jonski

        Re: Bewildered. (That's grown-up speak for "wtf")

        They can, um, ... Keep statistics about powder usage.

        I use those blocks with the dissolving wrapper. My powder usage precisely correlates 1:1 to the number of cycles I've run.

        The irony is rich however. This vuln will now let my dishwasher convert Spam to spam.

      3. Anonymous Coward
        Anonymous Coward

        Re: Bewildered. (That's grown-up speak for "wtf")

        I see what you did there. You said 'iPhone' and obviously meant 'Hipster' as frankly the only people who would buy this POS and then connect it to the internet are those with more money than sense a.k.a. Apple customers.

        Then the bit about the kids. Loved it.

        My kids are on the other side of the planet. Perhaps I should connect my DW up so that they can check on their GOM and that he is ok? (GOM== Grumpy Old Man)....

        Sorry no. While I am an Apple customer (I have a secondhand iPhone) I would never buy AND connect something like this up to the internet in a million, no make that a gazillion years.

        I'd actually go out of my way to NOT buy an appliance like this.

      4. Anonymous Coward
        Anonymous Coward

        Re: Bewildered. (That's grown-up speak for "wtf")

        "The next dishwasher that I buy will certainly be connected to the Internet of Things ... because I won't have any choice."

        Like vinyl records - there will come a time when some people will want their white goods to be "old school". As the IoT will only be a controller function then - like a car's ECU - a business will exist to tweak its function.

        That will then be made illegal for reasons of safety - and because the government wants electricity suppliers to be able to control your white goods devices.

        Globalisation will mean that every mechanical part will come from the same source - and only the final branding and cosmetics will be different.

        1. herman

          Re: Bewildered. (That's grown-up speak for "wtf")

          Well, I must be Olde Skool, since my microwave oven has a wind up timer, but I have never seen a dish washer with a wind-up timer. My guess is that Miele simply used a generic Linux controller and the ethernet port and web server is simply for programming and testing it on the production line and isn't actually intended for daily use.

      5. Anonymous Coward
        Anonymous Coward

        Re: Bewildered. (That's grown-up speak for "wtf")

        To misquote Edmond Hillary, They are connected to the internet because it (the internet) is there

        To quote Jasper Carrott: a dog's bum is there. It doesn't mean you have to go up it.

      6. Anonymous Coward
        Anonymous Coward

        Re: Bewildered. (That's grown-up speak for "wtf")

        > To misquote Edmond Hillary, They are connected to the internet because it (the internet) is there.

        No, it was not Hillary, but George Mallory (q.v.) who when asked why he wanted to climb Everest replied "Because it's there!"

        1. Anonymous Coward
          Anonymous Coward

          Re: Bewildered. (That's grown-up speak for "wtf")

          > No, it was not Hillary, but George Mallory (q.v.) who when asked why he wanted to climb Everest replied "Because it's there!"

          Additional I've read that he only gave that reply because while on a pre-exhibition (possibly fund raising) tour of the US he became increasingly fed up by everyone always asking why he wanted to climb Everest

      7. IsJustabloke
        Stop

        Re: Bewildered. (That's grown-up speak for "wtf")

        "The next dishwasher that I buy will certainly be connected to the Internet of Things ... because I won't have any choice."

        Or rather would like to be....

        And while I'm sure there will come a time when it being connected is required by the T&C's I doubt we're quite there yet.

    2. Anonymous Coward
      Childcatcher

      Re: Bewildered. (That's grown-up speak for "wtf")

      "Before I get too many downvotes," - nope, you get a UV for a well reasoned argument. I suspect product design went a bit like this:

      We can bolt internets onto our usual model, markup £200 retail for <sticks finger in the air> £13.56 RnD plus parts per unit. No let's skip the R bit and throw in most of a cheap IP camera's guts without the CCD etc. Fiddle with the web UI and profit. App n stuff. Internets - great.

      I don't own a washing machine with an IP stack. I already have a THINGS VLAN and a SEWER VLAN for devices that scare me more ('leccy readers eg) than stuff I put on THINGS. This will need yet another VLAN for stuff I wouldn't even put on SEWER.

      What the hell do I call that? How about AIRGAP? It would certainly have Security Onion looking at it sternly. My home network is probably not your average but I sometimes wish it was.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like