back to article Dishwasher has directory traversal bug

Don't say you weren't warned: Miele went full Internet-of-Things with a network-connected dishwasher, gave it a web server, and now finds itself on the wrong end of a security bug report – and it's accused of ignoring the warning. The utterly predictable vulnerability advisory on the Full Disclosure mailing list details CVE- …

Re: Who in the FUCK ...

web <> net

0
0
Silver badge

Re: Who in the FUCK ...

people have asked for a dishwasher that can be turned on remotely,

And then they got home to find they'd forgotten to put any soap in, so they had to run it again. Their smart meter will then email them to warn then that running a dishwasher twice a day is wasteful.

1
0
Anonymous Coward

Maximum Overdrive

Looks like the 80's film 'Maximum Overdrive' by stephen king, wasn't in fact, completely shit as I once thought. It was just ahead of it's time.

7
0
Devil

Re: Maximum Overdrive

'Maximum Overdrive' may have been ahead of its time but, unfortunately, the film was still completely shit.

7
0
Silver badge

Re: Maximum Overdrive

Yes, looking back at it now (as I did recently) it is a bit shit - but it is still quite good fun to watch.

It does however have a superb soundtrack by AC/DC.

2
1

My dish washer is connected to the internet. Me !!!

1
0
Silver badge

"My dish washer is connected to the internet. Me !!!"
My dishwasher connects to the Internet too. SWMBO! :-)

1
0
Anonymous Coward

Is that what's known as a passwordless proxy?

0
0
Silver badge

(please, readers, ponder those three words in succession and tell us they don't make you want to grab pitchforks),

No pitchfork here... more like something thermonuclear.

2
0
Silver badge
Facepalm

But is it internet connected?

My pitchfork registers how many times I jab it into things, it can also tell, based on the resistance, whether it has been stuck into earth, hay or flesh. It is then displayed in real-time on my smartphone.

Taking into account the governments attitude to encryption, I am way ahead of new legislation, it is all sent in the clear, so no worries about it being used by terrorists!

8
1

Not a run of the mill dishwasher

http://www.miele-pro.com/us/prof/products/14071_16161.htm

Not a scientist, but can sort of see this device is supposed to be shared

6
0

By the looks of it, the 8528 is a very high end labatory glassware cleaner and disinfector with many programmes and reporting facilities, so it's not surprising it might have a fully featured controller (heck, some hospital beds have touchscreen TFT controllers!)

However, you'd expect software updates for your £tens of thousands dishwasher.

9
0
Silver badge

Gareth79 and LegalAlien - cut out that original research stuff. How the hell is a commentard supposed to jerk the knee properly when you point out that the subject is not designed for home use?

It's still rubbish, IT-wise but hardly likely to affect anything like a mass market.

13
0
Silver badge
Coat

@gerdesj wrote:

It's still rubbish, IT-wise but hardly likely to affect anything like a mass market.

Unless it's used by the clergy that is.

2
0

The key bit here: "4 RS 232 interfaces wtih RJ 45 plugs, 1 RS 232 interface with 9 pole SUB-D plug, 1 Ethernet network interface with RJ 45 plug for connection to process documentation software." This is not white goods, it's not even "Internet of Things", it's a piece of connected lab equipment that integrates into existing processes for entirely valid reasons.

So yeah, all the "hurr internet of things" comments are a bit wide of the mark here. It also says "Remote service compatible", so presumably it will indeed receive a firmware upgrade. Yes, it's an embarrassing bug for sure, but a) it's fixable and b) I presume the applications for pwned Miele 8528 lab dishwashers are pretty limited. The worst case is that it effectively becomes a denial of service on a lab until it's fixed, as they can't be sure of their process accuracy.

I mean, I know it's daft of me to even think the Reg is vaguely competent to report on infosec stuff, but not even mentioning that bit is crappy reporting. I guess it gets more eyeballs to pretend it's a bog-standard domestic dishwasher.

3
0
Silver badge

"By the looks of it, the 8528 is a very high end labatory glassware cleaner and disinfector with many programmes and reporting facilities"

Which means it has even more reason to be properly secured.

3
0
Silver badge

"The worst case is that it effectively becomes a denial of service on a lab until it's fixed"

Until the malware starts connecting to the lab centrifuges. Or intercepting LAN traffic and reporting back.

0
0

I suspect it's going to take persons with malicious intent to cause something like flooding or fire forcing a complete recall - before manufacturers are going to start taking this stuff seriously. At the moment - manufacturer are probably thinking - so they can get into the machine - what's the worst they can realistically do?

3
0
Silver badge
Childcatcher

"what's the worst they can realistically do?"

A home grade washing machine can spin at 14,000 rpm and heat water. Water is heavy - 1 Kg for 10cm^3 - and these things can take a lot of water. There is also a large chunk of concrete inside the machine to help damp vibrations and act as inertia as required.

So what could possibly go wrong with a large electrical device in a metal case with lots of water, a powerful heater, a large piece of concrete, a large spinny thing that can go really fast and a controller that has gone to the bad?

8
3
Silver badge

What can go wrong?

Just ask Samsung about their dryers that ignite...

Everything my dear Watson, everything.

1
0
Silver badge

Re: What can go wrong?

... or better ask Beko

1
0
Silver badge
Coat

Wow! You spin dry your plates at 14,000 rpm?

icon - something to clean in your dishwasher?

1
1
Silver badge

A home grade washing machine can spin at 14,000 rpm and heat water. Water is heavy - 1 Kg for 10cm^3 - and these things can take a lot of water. There is also a large chunk of concrete inside the machine to help damp vibrations and act as inertia as required.

So what could possibly go wrong with a large electrical device in a metal case with lots of water, a powerful heater, a large piece of concrete, a large spinny thing that can go really fast and a controller that has gone to the bad?

Hmmmn are you saying we could Stuxnet washing machines?

3
1

>Water is heavy - 1 Kg for 10cm^3

Ah but what if it's heavy water ? Then it's 1.1 g mL−1. Throw in some uranium 235 and you've got a fantastic self sustaining "extra hot wash" cycle, note this model is only for those with deep pockets and lots of spare lead lying around. With that D2O it can also handily double as a H1 NMR*

*Super conducting magnets and RF generator not included and sold separately.

1
0
Silver badge

I suspect you mean 1,400 rpm, not 14,000. My latest washing machine (last one died messily, although I knew it was on its way out and ran it until it died) handles 9Kg of cottons at 1,600rpm (and probably 95 degrees wash at the same time).

I'd bet that the IoT bit of connected washing machines can't make the drum explode, as the most reasonable course of action is for the manufacturer to use the same controller, and provide an interface to it, rather than provide unfettered access.

1
0
Silver badge
Headmaster

I suspect you mean 1,400 rpm, not 14,000

And 10³ cc, not 10 cm³

0
0

It's crazy, but it's very Miele

I can remember back in 2003 when I was studying my post grad, one of the lectures was on how their commercial machines were connected to the internet to advise of maintenance requirements.

To be fair to Miele, this is one of the few use cases that makes sense in using IoT.

Having said that, there is no excuse for an inability to maintain their own software (insert famous Yoda to Luke quotation here).

2
0
Silver badge

Re: It's crazy, but it's very Miele

Having appliances that can call for service is a totally acceptable use of "IoT". That does not require an internal web server though, only the ability to send an email. If you want an internal web server for information or diagnostics, require a magic key sequence on the front panel to enable it and automatically disable it after one hour. That way only someone with physical access can turn it on, because they are the only ones who should ever need to access it (on a tiny LCD front panel, not a web server) It has an option for a modem that will call for service, but it isn't installed.

You can document the key sequence in the owner's manual if there's stuff in there the owner might want to see. The geeks among us might enable it every month or two to see what information it collects (amount of washes, amount of water used, amount of electricity used, date of last service, etc.) The water softener at my business collects info on the amount of water used and can report instantaneous flow rate, which I found useful a few times.

The flaw is thinking that a device needs to be connected and available full time. I realize this is a commercial model intended for laboratory sanitization, but it is still hard to see why you'd need to have a full time web server. Though hopefully at least an institution that buys something like this (I assume it is easily into 5 digits) has a firewall and a full time IT organization.

3
0
Silver badge

Re: It's crazy, but it's very Miele

I have a BOSCH Dishwasher. 13 going on 14 years old. Not needed any maintenance.

There goes your argument. A properly designed and made device should last for years.

No need for a £9.99/month service plan/warranty that is not worth the paper it is written on.

If it breaks tomorrow and can't be repaired then I'll just buy another one.

The ROCI for the DW works out at around £30/year.

How many skinny half-cafe Latte's in Starbucks is that?

Paid for itself which would lead me towards getting another of the same make.

It is a frigging kitchen appliance for heavens sake.

4
0
Silver badge

Re: It's crazy, but it's very Miele

If you want an internal web server for information or diagnostics, require a magic key sequence on the front panel to enable it and automatically disable it after one hour.

That's almost exactly what my SIP phone does - there is web interface for configuration which has to be enabled by combination of buttons on a handset, and then it disables itself after configurable timeout. But then the thing was made by people who actually knew what they are doing, with this thing function being entirely dependent on actually being connected to the Internet ...

1
0
Stop

Re: It's crazy, but it's very Miele

Our Bosch DW is about 12 years old, and no probs so far either. And like you say, if it did, we'd call an engineer or buy another.

We've just replaced our (faultless) 21 year old fridge freezer, and whilst looking at options in the stores, the salespeople were incredibly keen to push those with Internet connectivity... "but it knows when you're running low on milk... etc". Funny, but I can tell that myself when I look at the bottle or pick it up!!

Nope. Not a chance in my house!!

1
0
Silver badge

Re: It's crazy, but it's very Miele

@Steve Davies 3

There goes your argument. A properly designed and made device should last for years.

No need for a £9.99/month service plan/warranty that is not worth the paper it is written on.

Long long time ago I was a kitchen hand in a commercial restaurant. The dishwasher we used there (no no, the mechanical one, not me) would go through 5 cycles an hour (a single cycle would only take 10 minutes or so because, well, it ran hotter and harder than a consumer dishwasher). So a typical day could see the dishwasher doing 30+ cycles a day, 900+ a month. Having some-sort of in-built monitoring and auto-callout for predictive issues (worn parts etc) could be very useful in that case.

5
0
Anonymous Coward

Re: It's crazy, but it's very Miele

Never understood applicance insurance (except it's a big earner for the retailers and insurers). You have warranties that cover for at least the first year, often you can get one with longer. If you insure a number of applicances you are soon paying as much as replacing an item every year or two. Had three DOA (or shortly after) appliances in 30 years, covered under warranty, other than that they have lasted at least 15 years.

0
0
Anonymous Coward

Re: It's crazy, but it's very Miele

"Paid for itself which would lead me towards getting another of the same make."

Unfortunately for long-lived devices - the brand name rarely guarantees any repeat of quality.

I bought a new Kenwood Chef mixer. It had been redesigned as part of their "continuous improvement" process - for which also read "better profit margins". The new one looked the same - but had a flimsy plastic casing instead of solid cast aluminium. They had also changed the accessories connector - so the existing accessories were made obsolete.

0
0
Anonymous Coward

Re: It's crazy, but it's very Miele

"You have warranties that cover for at least the first year, often you can get one with longer. "

The independent retailer who supplied my washing machine advised me that a repair in the first year should be claimed under the manufacturer's guarantee.

For the remaining two years of the guarantee there was only "free" parts. He said to get an estimate from him first - as unless it was an expensive part the manufacturer's labour charges would be excessive. The manufacturer out-sourced their repairs - so even a claim under the guarantee was subject to a £100 call fee if they couldn't see a fault when they came.

1
0
Silver badge

Re: It's crazy, but it's very Miele

If it's the Eu then I think only free parts in the second year might be wrong, pretty sure you are covered against manufacturer defect for longer then a year.

0
0
Silver badge

Re: It's crazy, but it's very Miele

Never understood applicance insurance (except it's a big earner for the retailers and insurers)

Sorry, what was the bit you couldn't understand?

2
0
Silver badge

Re: It's crazy, but it's very Miele

Our Bosch DW is about 12 years old, and no probs so far either.

If I were to type something like that, I would inevitably get home to find the kitchen flooded, and the glassware in small pieces.

6
0
Silver badge

Re: It's crazy, but it's very Miele

Here's the machine here: PG 8258. You're unlikely to have one of these in your home kitchen...

1
0
Silver badge

Re: It's crazy, but it's very Miele

'I bought a new Kenwood Chef mixer. It had been redesigned as part of their "continuous improvement" process - for which also read "better profit margins". The new one looked the same - but had a flimsy plastic casing instead of solid cast aluminium. '

Mixing dough with the new lighter model will not be a good experience.

0
0
Silver badge
Holmes

Re: It's crazy, but it's very Miele

Had three DOA (or shortly after) appliances in 30 years, covered under warranty, other than that they have lasted at least 15 years.

Got an extended warranty on a TV once - cost me $150 for an extra 5 years cover. Few weeks before the extended warranty was due to run out the TV died quite badly.

So my brand new $1600 TV actually only cost me $150. Extended warranties can be a waste, but they can also be a great investment. Ya rolls the dice, ya takes ya chances.

(Now if I'd done the same with the new TV it would've been a waste, 10 years on and it's still going fine)

0
0
Silver badge
Mushroom

The only reason for the dishwasher to be connected to the internet...

is to talk to the toaster and the microwave when planning home defense protocols.

6
0
Anonymous Coward

Re: The only reason for the dishwasher to be connected to the internet...

You FOOL! You've given away the secret to our plans for World Domination! Now we'll have to start microwaving your clothes, toasting your coffee, & washing your food. You bastard!

-Signed, The CCTV camera you installed to watch for burglars but is doing double duty to Warn The Others when you pull up into the property.

6
0
Paris Hilton

I blame Apple and the iPhone

Ok... not specifically but in a moment of empathy for stupid users, whom most of us look down on from a great height, we grownups have lived through the growth of the internet and the release of the iPhone.

This was when someone told us that our stupid phones would suddenly be pocket computers that did everything a looked sexy... and it was mostly true.

Now everyone believes anything about tech because the iphone happened.

Users are stupid but they are just following the marketing and buy this stuff.

6
0
Silver badge

Re: I blame Apple and the iPhone

Eh?

The iPhone succeeded because people like tech that is useful or distracting (or really, were getting bored of having to teach a T9 predictive text system to swear and a virtual qwerty seemed nice), not vice versa.

0
0

That scene from Cherry 2000

Yes that one

https://www.youtube.com/watch?v=Y6KJtFZoflc

(starts around 0:30)

1
0
Silver badge

Re: That scene from Cherry 2000

Yeah, yeah, we've all had dates end like that.

1
0
Silver badge
Coat

I'm gunna wash that LAN right out of my hair...

Apologies for those old enough.

4
0

I always wondered one thing

Miele devices could be updated via serial & USB since 90s and now this. I always wondered how secure is this process. A washing machine hitting 90 Celsius while it has $10.000 worth of delicate designer clothes wouldn't be cool. Or a dishwasher not doing porcelain program.

0
0
Silver badge

Re: I always wondered one thing

Make sure you do not confuse the update for the washing machine with the update for the cement mixer.

1
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018