Dishwasher has directory traversal bug Don't say you weren't warned: Miele went full Internet-of-Things with a network-connected dishwasher, gave it a web server, and now finds itself on the wrong end of a security bug report – and it's accused of ignoring the warning. The utterly predictable vulnerability advisory on the Full Disclosure mailing list details CVE- …
Ubiquity of general-purpose computers = ubiquity of general purpose security problems.
Things will only get worse as companies realise that it's cheaper to just put a Raspberry Pi in place of that specialist circuit board that controls everything, and then it's only one click from putting it on the net in the next model.
Seriously - look at the RPi zero boards with their wifi and GPIO. You're not telling me that making that old ancient washing machine control board is cheaper than that? Even the Arduino was a micro-controller really, but now it's just as cheap to deploy a full machine.
Economics of general-purpose computers that small, cheap, well-connected and powerful is going to be the end of any kind of sense in electronic devices. Prepare to see them in everything from phones and answering machines to clocks and radios.
For stuff like dishwashers, you would not only need a processor, ROM and RAM, but also a power supply, relays (solid state, most likely nowadays), some kind of display, and a couple of connectors for the various sensors, and as much of that on a single board as possible for ease of assembly (=lower manufacturing costs). So it may have the guts of a Pi, but physically it won't be one.
"[...] power supply, relays (solid state, most likely nowadays), some kind of display, and a couple of connectors for the various sensors, [...]"
When getting into Arduino programming last year - it was a surprise how many peripheral modules are now available at very low prices from China.
Only had one problem . A voltage up-converter that blew an electrolytic when it was first switched on. It was only rated at 35v - which was the nominal maximum output. Other suppliers' pictures of apparently the same board showed they used a more tolerant 50v capacitor.
Construction of 250v relay boards varies. Some have parts of the board removed to give better terminal insulation.
"I suspect that a RaspberryPi would not be as tough as one of the specialist boards and would have a much shorter lifetime."
You are correct. Mine has developed what seems to be a dry joint in the power connector.
The vibrations present in a washing machine or dishwasher weren't in its design spec.
This dishwasher is not an appliance, but a professional tool. This is a washer-disinfector for hospitals and labs, with options like barcode scanners and printers, and more. Connecting a professional dishwasher like this is far from useless, at least for remote maintenance and everything. Once again, this is Industrial IoT, not home automation.
Then, this makes the vulnerability even worse. Do we want to take risks with a disinfector that washes hospital equipment? No, and having a bug that brings us back to the 1990's and the early days of the Web shows how device vendors are playing catchup without realizing the investment required.
FTA
"And once they're in those directories, it's party time because they can insert their own code and tell the web server to execute it."
Just because you can read, doesn't mean you can write or execute anything. Embedded devices often have partitioned filesystems so you would have very limited access to anything more critical and a reboot would clear most issues too.
OK, basic security errors often go together because a programmer with no clue will be responsible, but that doesn't automatically mean that directory traversal leads to code injection.
I know my dishwasher is doing something because I stack it with plates, insert a tablet, physically start it and can hear it working until such time as its done, at which point it beeps.
Making the thing "smart" is just an excuse to charge a hundred quid more for a feature that does fuck all quite frankly.
IoT does have a lot of practical uses, but these "smart" appliances are not one of them. Just an excuse to part fools from some extra money.
Salesman: "You should buy this dishwasher sir."
Sir: "Why? What's so good about it?"
Salesman: "You can turn the dishwasher on from the office, or on your way home, using your mobile!"
Sir: ".... does it load the dishwasher from my phone?"
Salesman: "No sir, you'd have to load it manually."
Sir: "So why would I load the dishwasher manually, then walk away and turn it on from my phone while on the train? Surely I'd just turn it on once I've finished loading it?
Salesman: ".... have you ever thought about buying a Samsung Smart TV sir?"
[From recent experience] having the ability to remotely determine whether a dishwasher has been unloaded/load/run would be a significant USP if you have a teenage son at home who regularily "forgets" to do the smallnumber of jobs he's asked to do! If it incldues a security weakness that might be exploited to allow ability to affect devices on the same LAN (e.g. tunring off the Xbox) then that would be a double USP!
"It's unclear which libraries Miele used to craft the Web server, which means without a fix from the vendor – for a dishwasher – the best option is to make sure the appliance isn't exposed to the Internet."
No. That's the second best option. The best option is not to buy anything that's given a facility to connect to the internet that it doesn't need. A dishwasher doesn't need a facility to connect to the internet.
The PG 8528 isn't really a 'dishwasher', it's actually a laboratory glassware washer - as used in hospital laboratories etc.
See: http://www.miele-pro.com/us/prof/products/14071_16161.htm
I believe such laboratories have to keep records confirming that each item of glassware has been washed correctly, including confirmation that the water in the washer reached the correct temperature, and that the correct temperature was maintained for the correct period of time.
I think older washer models displayed this information on a screen, or printed out a slip of paper, which the operator had to copy/key in to the record keeping system. So the intention was to lessen the need for human intervention, and lessen the scope for human error.
Final point.
PLEEAAASEE!!!
you eeedjits.
Stop buying the "tablets". Which are power pressed lumps of the powder for which they are charging 3 times what they charge for the powder. I get 24-30 washes out of a $7.00 box of powder instead of paying $22.50 for a box of 28 tablets. It is becoming harder and harder to find the damned powder in boxes by itself.
"It is becoming harder and harder to find the damned powder in boxes by itself."
So why bother?
1. Place dirty dishes in dishwasher as usual (grime, goo and all).
2. Add about three drops of regular dish soap to your dishwasher's detergent cup.
3. Fill the cup 2/3 of the way with baking soda.
4. Add salt until the cup is nearly full. This is to suppress foaming.*
Run your dishwasher as normal.
* When my dishwasher foams there's nothing I can do but wait for her to calm down. But then I find her immensely more sexually attractive than the average dishwasher.
I dunno, I can think of one time this would have been really handy - about 6 weeks ago my washer stopped working, it would work away for about 20 minutes and then just stop, with a single blinking red light. There's no LED display on most low-end dishwashers so no way to know what's wrong
Thought it was knackered and was pretty sure I'd need to replace it - I figured the element was gone or something - when I discovered (whilst doing something unrelated under the sink, which required me to unplug a bunch of pipes) that there was a big horrible ball of gunk stuck in the water outlet pipe of the washer and this was why the washer was failing. Once that was sorted, it's been fine since.
Would have been nice to have gotten a text or be able to log into some kind of "what is wrong with you" type webpage in the washer to see that the cycle was shutting down as it was unable to empty the water, I would have known right away what the problem was.
I could think of a few reasons why Internet connection could be helpful in this case...for example:
Gathering information about how many times dishwasher is being used could lead to overview of how much water/ energy you are using over period of time. Eventually it could advice user on much he/she could save if the machine was used more efficiently (for example, fill it better before use...). It could advice you on usage of different programs, with aim to improve efficiency/ cost savings/ environment, components wear out, provide for maintenance advice etc.
Most of the people push the button ("highest cleaning settings") and forget about it. If the machine is broken, they simply replace it with new one and don't give it another thought (apart from complaining that everything used to be better "in the past").
Especially from the perspective of protecting the environment, this could prove positive (e.g. if dishwasher is properly maintained, the equipment lifetime could maybe double). Water could be saved by more efficient usage, etc.
I agree though that companies should think first, engineer and design responsibly (and demonstrate the added value); rather than adding features "without thinking"....(especially if they obviously lack appropriate ICT competence).
Though what is happening at the moment is that people buy an "intelligent device" because it is "cool" and have no idea why (and most of the time the functionality is half-baked and not working properly so they do not use it anyways). As well as the manufacturers don't care because if it works and if it works works well, they will end up selling less dishwashers in first place, or be "forced" to work on more environment friendly (read: more expensive) models.
Idea is thus good. Execution...not so much (across the board with the IoT devices for now).
I tried all the settings on my new "eco" Siemens dishwasher. None of them can be relied upon to get the dishes clean every time. I suspect that the "eco" requirements of noise, water usage, and electricity took precedence over actually doing the job properly.
It is annoying that it only comes with a cold fill facility - so my more economic source of hot water can't be used.
Some of the eco washes can clean OK, but if you want to use them, need to intersperse with max hot washes, otherwise the low temperature washes allow some of the more thermophile bacteria / fungi to set up home in your dish washer, but a hot wash normally nobbles them (though also worth a proper cleaning / disinfecting op in dishwasher every now and again).
Directory traversal attacks let miscreants access directories other than those needed by a web server. And once they're in those directories, it's party time because they can insert their own code and tell the web server to execute it.
* Reads it again... no, still wrong.
Directory traversal typically means read-only access. You need something very different to be broken or misconfigured before exteranl users can connect and upload arbitrary files which they can then execute. (If it's properly set up, the attacker can only execute code as the 'nobody' or 'apache' user, or similar restricted access / unprivileged account. Preferably in a chroot, jail, or similar segregated fake environment.
I can see a lot of comments on here about Smart Meters going nowhere near their network. Smart Meters use ZigBee to communicate with the little in-house display gadgets and don't go anywhere near your home network to be fair. They use HAN/ZigBee to talk to other smart meter(s) nearby. The WAN side is over the mobile network for connectivity, so SmartMeter's are the exception to the IoT drama for now, although I believe they would like to tap into dishwashers/dryers/washing machines/fridges etc in the future via ZigBee and whatnot to utilise surplus energy.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
