back to article Dishwasher has directory traversal bug

Don't say you weren't warned: Miele went full Internet-of-Things with a network-connected dishwasher, gave it a web server, and now finds itself on the wrong end of a security bug report – and it's accused of ignoring the warning. The utterly predictable vulnerability advisory on the Full Disclosure mailing list details CVE- …

Page:

      1. Steve Crook
        Unhappy

        Re: Bewildered. (That's grown-up speak for "wtf")

        We get internet connected dishwashers because Miele think there are idiots out there who would choose their model over one without an internet connection, and that fewer people will refuse to buy it for the same reason.

        In that sense I think Miele are entirely correct in their assumptions. If we (in the widest sense) are living in hell, it's one we made...

      2. big_D Silver badge

        Re: Bewildered. (That's grown-up speak for "wtf")

        With a decent firewall, you could also apply a rule to ensure that the SEWER VLAN is blocked from communicating with the Internet and blocked from communicating with the local network. Problem solved.

        Luckily, we don't have smart meters here, yet. But if they do, they won't be joining our home network, without a written TOS which includes information about timely update policy and a guarantee for compensation in the case that their device attacks my network. If they want it to phone home, they can pay for their own damned connection!

        1. pete_v

          Re: Bewildered. (That's grown-up speak for "wtf")

          > Luckily, we don't have smart meters here, yet. But if they do, they won't be joining our home network

          That's ok, they don't want to - they handle their own connectivity. The electricity meter obviously has the most power available, so it talks to the mothership, I assume over GSM. I'm told the gas meter is powered by a little turbine spinning in the gas flow, giving it just enough juice to talk Zigbee to the nearby leccy meter. They don't go anywhere near any of my kit, and I get a bill each month for what I actually use rather than the company making up a random number, direct debiting whatever they feel like, and then trying to reconcile a huge discrepency every couple of years.

          I expect there's probably some implementation stupids when it comes to switching provider (haven't tried yet) but I'm a fan of the principle.

          1. big_D Silver badge

            Re: Bewildered. (That's grown-up speak for "wtf")

            The Dutch did a calibration test of current electric smartmeters. One was about 14% pessimistic, but most were up to 550% optimistic (i.e. registered 550% more electricity than was actually used)!

            It turns out the smartmeters can't cope with dimmable energy saving lights and LEDs.

            1. Anonymous Coward
              Anonymous Coward

              Re: Bewildered. (That's grown-up speak for "wtf")

              The dutch measurements surely over-dramatized the problem a bit. Nevertheless, some official bods are looking into it: http://goo.gl/a6N4wn

          2. regregular

            Re: Bewildered. (That's grown-up speak for "wtf")

            >> and I get a bill each month for what I actually use rather than the company making up a random number, direct debiting whatever they feel like, and then trying to reconcile a huge discrepency every couple of years.

            Just make sure you have no LED lighting or dimmer switches in your home. With those devices, some smart meters have been reported to report wildly inaccurate readings. Wildly inaccurate as in 700% higher.

          3. Anonymous Coward
            Anonymous Coward

            Re: Bewildered. (That's grown-up speak for "wtf")

            "I get a bill each month for what I actually use rather than the company making up a random number,"

            so do i and i don't have a smart meter. I do something really old school i read my meter on the last day of the month and give this reading to the electricity company (online) and they then invoice me correctly for the amount used.

          4. Anonymous Coward
            Anonymous Coward

            Re: Bewildered. (That's grown-up speak for "wtf")

            "[...] and I get a bill each month for what I actually use rather than the company making up a random number, direct debiting whatever they feel like, and then trying to reconcile a huge discrepency every couple of years."

            It doesn't always go smoothly.

            "One customer’s £1,900 bill"

            https://www.theguardian.com/environment/2017/mar/26/uk-energy-firms-big-six-smart-meter

          5. IsJustabloke Silver badge
            Facepalm

            Re: Bewildered. (That's grown-up speak for "wtf")

            "but I'm a fan of the principle."

            I'm a big fan of the principle where I pop out to my cabinet every couple of weeks and let my supplier know the readings and thus I avail myself of the same no "guesstimate" billing.

          6. AndrewDu

            Re: Bewildered. (That's grown-up speak for "wtf")

            "probably some implementation stupids when it comes to switching provider "

            You are so right. The stupid is, that if you change provider, the smart meter doesn't work any more. End of.

            Apparently they forgot that bit when designing them, probably because the implementation phase goes back to nationalised industries, at which time you couldn't change provider because there was only one.

          7. Lamont Cranston
            Unhappy

            Re: "implementation stupids when it comes to switching provider"

            @ pete_v

            Yep - your "smart meter" reverts back to being a regular meter, except now you have to navigate through a menu to get a reading off of it. Smart Meters are a crock of shit.

        2. mistersaxon

          Re: Bewildered. (That's grown-up speak for "wtf")

          Smart meters will have a 3G+ B2B network connection - hacking your wifi is not the only danger with a device that can tell crooks when you are home and optionally cut you off (or bill you £'000s for unreal electricity as is more likely).

          I'm refusing all offers of one at the moment.

          1. js.lanshark

            Re: Bewildered. (That's grown-up speak for "wtf")

            It must be nice to have a choice. Mine was installed last week with no option of refusal. Well, If I refused I got no service that is.

      3. 2+2=5 Silver badge
        Happy

        Re: Bewildered. (That's grown-up speak for "wtf")

        > I already have a THINGS VLAN and a SEWER VLAN for devices

        Upvote for the vLAN names.

        I'm thinking [1] of writing a firewall module for OpenWRT or similar that can be configured with the details of IoT devices and selectively buggers with their packets. So a connected telly will find that it can download the program guide perfectly, but when it tries to upload viewing statistics the packet contents get randomised, or sent in the wrong order etc.

        [1] Which means I'll never find the time to learn how to do it, but I throw the idea out here in case anyone else wants to have a go. :-)

      4. CrazyOldCatMan Silver badge

        Re: Bewildered. (That's grown-up speak for "wtf")

        I already have a THINGS VLAN and a SEWER VLAN for devices that scare me more ('leccy readers eg) than stuff I put on THINGS

        Likewise. And I can disable the "things" access to the outside world with one click on the network firewall (hard to reach the internet when your default gateway is no longer responding..)

        Although I don't have a sewer vlan. I found it easier to just never connect the things in the first place.

    1. a_yank_lurker Silver badge

      Re: Bewildered. (That's grown-up speak for "wtf")

      Have an upvote. I am not convinced a self loading dishwasher would need an Internet connection. It could be programed to load and if full run at time ex. My coffee maker has a feature to auto brew at a preset time. We are not talking rocket science.

      1. Wensleydale Cheese Silver badge

        Re: Bewildered. (That's grown-up speak for "wtf")

        " I am not convinced a self loading dishwasher would need an Internet connection."

        What if it insists on being given an email address before it will start working?

        That Samsung phone* I bought a few years ago wouln't let me in without a Google address.

        * now scrapped

    2. TReko

      Re: Bewildered. (That's grown-up speak for "wtf")

      >So why on earth do we need internet enabled dishwashers?

      Because that is what sells them.

      Products are designed to be sold, not to be used.

      A dishwasher is a dishwasher, the cheapest model does what the most expensive model does: clean dishes.

      1. Def Silver badge

        Re: Bewildered. (That's grown-up speak for "wtf")

        A dishwasher is a dishwasher, the cheapest model does what the most expensive model does: clean dishes.

        That's a little unfair. The cheaper models will almost certainly be less power and water efficient, noisier, probably slower, and possibly a bit more crap at actually cleaning.

        1. Alistair Silver badge
          Windows

          Re: Bewildered. (That's grown-up speak for "wtf")

          "The cheaper models will almost certainly be less power and water efficient, noisier, probably slower, and possibly a bit more crap at actually cleaning"

          Generally I'd say no, they aren't. Noisier is very likely but is absolutely relative to the installation, since most come with fairly decent sound proofing and room for improvement. Mostly, the cheaper ones are the stock from last year, the year before, the year before that, and the year before THAT.

          <An associate had to do some cabling in a whirlpool warehouse ..... and learned many interesting lessons about large appliances that day.>

          1. Anonymous Coward
            Anonymous Coward

            Re: Bewildered. (That's grown-up speak for "wtf")

            Please share your experiences...

      2. Anonymous Coward
        Anonymous Coward

        Re: Bewildered. (That's grown-up speak for "wtf")

        "A dishwasher is a dishwasher, the cheapest model does what the most expensive model does: clean dishes."

        A few years ago I replaced my dishwasher as the old one was beyond "economical" repair. Asking friends for recommendations of their proven ones - I discovered that manufacturers change their models every couple of years. On-line reviews were a similar problem - not to mention some of the horror stories.

        Finally went for a Siemens as a mid-priced brand used by some friends - and on-line reviews seemed favourable for a specific model.

        Every time I use it I wish that I had had the old one repaired. Yes - the new one is quieter and has "eco" features - but it just doesn't clean the dishes reliably. Everything has to be "clean" before it is loaded into the machine otherwise it needs a hand wash afterwards.

        I suspect the noise of the old one meant it was spraying the water at a much higher velocity. The "Eco" features also seem to minimise the drying cycle - so that things are still wet at the end.

        A microwave oven is an appliance one would expect nowadays to be - well - just a microwave.

        I have given up trying to buy a new one. My requirements are obvious - or so I thought: stainless steel cavity; touch timer panel; enough ventilation so that the interior doesn't drip copious amounts of water during cooking. Oh - and no reviews saying "failed after a few weeks" - or - "caught fire".

        1. Anonymous Coward
          Anonymous Coward

          Re: Bewildered. (That's grown-up speak for "wtf")

          Yes. I have noticed that the Eco features in modern appliances screw them up. Manufacturers trade off good performance against getting a extra star on their eco rating.

    3. Ilgaz

      Re: Bewildered. (That's grown-up speak for "wtf")

      They love to spy on their users. A internet connected dishwasher can share 'anonymous" statistics about how and when it is used.

      Things can be really interesting for washing machine, you can figure out the exact nature of clothing & profile of a rich household.

      Obviously, a burglar or some other evil guy can use the data for his own purposes.

    4. 9Rune5

      Re: Bewildered. (That's grown-up speak for "wtf")

      "So why on earth do we need internet enabled dishwashers?"

      I can think of one reason: Simpler UI.

      The delay feature on my appliances leaves a lot to be desired. I am only interested in what time it will finish, not when it will start. "Done by 7am" is what I want. But I am sure there are others who are more interested in the start time... That means a heckuva lot of buttons, or a big LCD right there on the appliance... Or.... How about a web based UI that you can use from your favorite pad?

      But even so, I have to concede that the extra complexity is just not worth it.

      1. Dan 55 Silver badge

        Re: Bewildered. (That's grown-up speak for "wtf")

        Presumably if you had a dishwasher with a clock, the "finish by" time could be set in a similar way as the "start time" delay, by holding down one button and repeatedly pressing another. That's if you really are unable to calculate a delay time - 1.5 or 2 hours or however long the washing cycle is - at least a couple of hours more for the warm air to dry them.

        Then again, this kind of feature is aimed at people who cannot set clocks on kitchen appliances and probably have UPnP on their routers and will never run a security update in their life unless their computer or phone bludgeons them into it (note all the missing devices from that list), so it's all going to end in tears anyway.

      2. Anonymous Coward
        Anonymous Coward

        Re: Bewildered. (That's grown-up speak for "wtf")

        "So why on earth do we need internet enabled dishwashers?"

        I can think of one reason: Simpler UI.

        In that case, give me a local connection. Bluetooth or something. I have no problem with it talking to ME, but I have a major problem with it talking to the rest of the planet, ditto for any other appliance (and God help the poor sod who wants to come and install a smart meter, because he/she will have to explain why they won't sign for damages payment when it goes wrong - in the presence of some journalists, because I'm mean like that).

        A number of people have said that devices are made to sell, not to function. I would like to comment that this sort of uncontrolled crap is the perfect UNsell as far as I'm concerned - no flaming way.

    5. Pen-y-gors Silver badge

      Re: Bewildered. (That's grown-up speak for "wtf")

      But a really good self-loading dishwasher would be neat! Of course it would need a droid extension that wanders around the house picking up dirty coffee cups and plates, in which case it WOULD need internet access so that it could message you to ask 'have you finished with this half-eaten pork pie?'

      1. CrazyOldCatMan Silver badge

        Re: Bewildered. (That's grown-up speak for "wtf")

        message you to ask 'have you finished with this half-eaten pork pie?'

        "Oh, and by the way, can you call the dog to ask him to stop chewing my power cord? It's giving me a terrible pain in all the FPGAs down my right-hand side"

      2. Anonymous Coward
        Anonymous Coward

        Re: Bewildered. (That's grown-up speak for "wtf")

        But a really good self-loading dishwasher would be neat! Of course it would need a droid extension that wanders around the house picking up dirty coffee cups and plates, in which case it WOULD need internet access so that it could message you to ask 'have you finished with this half-eaten pork pie?'

        You just made me realize I married a dishwashing machine!

    6. JetSetJim Silver badge

      Re: Bewildered. (That's grown-up speak for "wtf")

      But, for a mere £2,000+, you too can have one of these marvellous devices which give you the benefit of this marvellous marketing blurb:

      "With the MobileControl function you can keep an eye on your Miele appliance, even when you're not at home - via smart-phone or tablet PC. Not only can you access the programme status, you can also conveniently select and start programmes regardless of location using your mobile terminal device. Simply download the Miele@mobile app and connect the device to Miele@home. When you return home, your Miele appliance has already finished its work. "

      1. Doctor Syntax Silver badge

        Re: Bewildered. (That's grown-up speak for "wtf")

        "With the MobileControl function you can keep an eye on your Miele appliance, even when you're not at home - via smart-phone or tablet PC. Not only can you access the programme status, you can also conveniently select and start programmes regardless of location using your mobile terminal device. Simply download the Miele@mobile app and connect the device to Miele@home. When you return home, your Miele appliance has already finished its work. "

        It's a pity I'm not in the market for a new dishwasher. I'd have let a salesdroid give that spiel just so I could have asked "Why would I want to?". And then show them my ancient non-Apple, non-Android phone.

    7. regregular

      Re: Bewildered. (That's grown-up speak for "wtf")

      Regarding to the "Why do we need that", the question can be answered by googling the actual device. Unless the model number has a typo, this particular device is an industrial grade washer for restaurants or similar places. One selling point is the capacity of over 200 glasses, not exactly a con- or prosumer grade appliance.

      I can see a few reasons why a large gastronomy outfit might want a dishwasher that "calls the boss" when it is done or needs attention. There may be more than one of those, the "bing" that signals a finished cycle might be drowned out by ambient kitchen noise etc.

      1. Anonymous Coward
        Anonymous Coward

        Re: Bewildered. (That's grown-up speak for "wtf")

        "prosumer"

        Wankiest word of the day.

        1. Dog11

          Re: Bewildered. (That's grown-up speak for "wtf")

          @AC "prosumer"

          Wankiest word of the day.

          It's been in use for quite a while. E.g. a video cam that costs $4K (which was what a Panasonic DVX-100B went for new, though today it's called "obsolete"). That's way less than a real pro cam, but almost as good and way more than Uncle Bob will spend to make pictures of the kids.

    8. herman Silver badge

      Re: Bewildered. (That's grown-up speak for "wtf")

      So how is the electric butler of the electric monk supposed to wash his master's begging bowl without an internet connection to the dishwasher?

  1. This post has been deleted by its author

    1. Dave 126 Silver badge

      Re: A software bug in a dishwasher?

      You're not familiar with Miele, are you? True, they've dropped the ball on this one issue, but they are the only appliance maker that makes stuff the last and to be repaired. For example, their washing machines still allow the bearings to be replaced, and use a cast iron ballast instead of concrete.

      This has been the consistent results if independent testing by the Consumer Association (which is financed by member's subscriptions, not adverts).

      1. Anonymous Coward
        Anonymous Coward

        Re: A software bug in a dishwasher?

        funny enough we have a said Miele dishwasher that you can connect to the tinterweb if you so wish, I haven't, as you need and android or apple phone to manage it. The dishwasher itself is very good cleans miles better than our old Siemens one

      2. Anonymous Coward
        Anonymous Coward

        Re: A software bug in a dishwasher?

        "they are the only appliance maker that makes stuff the last and to be repaired."

        Someone I know has had MULTIPLE replacements of a Mile appliance in only a few years due to it continually failing.

        Mile have financially incentivised them to NOT put details on social media.

      3. Doctor Syntax Silver badge

        Re: A software bug in a dishwasher?

        "use a cast iron ballast instead of concrete."

        Ballast of any sort must be more or less unique these days. Just replaced the washing machine and the guys who took the old one away were a bit taken aback by the weight.

      4. Anonymous Coward
        Anonymous Coward

        Re: A software bug in a dishwasher?

        "they are the only appliance maker that makes stuff the last and to be repaired"

        huh - you've not had 3 successive control boards fail (one per year) then have you - with a cost of $500 per board!!!

        all because they use a 50 cent chip to control the water inlet valve - with said chip failing - often in the closed position, so that as soon as you try turning on it starts pumping water into the machine....

        now to be fair, after complaining to the president of the company, they did come out and replace the last one (which is now holding for the second year) - BUT it still took an email to Germany to get results...trying to deal with the company here in Canada produced nothing other than a 10% off the cost of the part...

        I have since tracked down the bad chip and have ordered in spares (resulting in a few repaired spare control boards) - BUT the company does not offer any kind of a repair/rebuild service for the elecronics - it's either buy a new one or buy a new unit - and at $500 per board it's better to buy a bosch/maytag/ge etc than it is to try a repair their unit....

      5. Anonymous Coward
        Anonymous Coward

        Re: A software bug in a dishwasher?

        You're not familiar with Miele, are you?

        I think your sense of humour is caffeine dependent. The whooshing sound is the joke (washed up; lather, rinse, repeat) going over your head - go get some coffee and you'll be fine :).

        As for Miele, in my experience there are quite a number of good brands out there, just not if you buy the cheapest device in the range. There is a reason the good ones cost more money - they know they won't sell that many of them.

        I myself have a Bosch Maxx which had ONE repair in 20 years and that was 2 months after I bought it. Having a kid with eczema meant the oils in the ointments in his clothes ate away at the door seal, so the Bosch service engineer replaced it with a neoprene one which was impervious to that and it's been doing a very good job ever since - near daily.

  2. The Nazz Silver badge

    Really Miele

    Why, just why?

    As an aside i have a dishwasher that occasionally connects to the 'Net and yet suffers few if any bugs at all.

    In fact, 'm so healthy i could die tomorrow.

  3. jake Silver badge

    Who in the FUCK ...

    ... came up with THAT totally fucking stupid idea? I mean, seriously, hands up all y'all who have been pining for a dishwasher with an embedded web server. We'll wait.

    ::crickets::

    That's what I thought ... AND THIS IS A TECHNONERD SITE!

    1. big_D Silver badge

      Re: Who in the FUCK ...

      Me, but not for me to buy, it would mean easy money for my Pen-Testing business.

      1. Dave 126 Silver badge

        Re: Who in the FUCK ...

        Nobody asked for a dishwasher connects to the web. Some people have asked for a dishwasher that can be turned on remotely,for those mornings when the whole process of getting the kids ready and driven to school is a nightmare.

        People are interested in the end, not the means.

        1. jeffdyer

          Re: Who in the FUCK ...

          web <> net

        2. Phil O'Sophical Silver badge

          Re: Who in the FUCK ...

          people have asked for a dishwasher that can be turned on remotely,

          And then they got home to find they'd forgotten to put any soap in, so they had to run it again. Their smart meter will then email them to warn then that running a dishwasher twice a day is wasteful.

    2. regregular

      Re: Who in the FUCK ...

      Google the model. Full height, industrial size dishwasher with capacity over 200 glasses.

      This is clearly not con- or prosumer, but for large outfits. I can see why a convenient remote monitoring feature might be a selling point to customers who need one, or even many, of those things. Big kitchens are loud and busy, and missing the "bing" of a finished cycle or a red LED requesting maintenance happens easily and wastes time.

      This is probably a feature aimed at maximising efficiency, so no time is spent by walking up and checking to see if it is ready to unload and reload. You just wait until it tells you it is ready.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019