back to article Dishwasher has directory traversal bug

Don't say you weren't warned: Miele went full Internet-of-Things with a network-connected dishwasher, gave it a web server, and now finds itself on the wrong end of a security bug report – and it's accused of ignoring the warning. The utterly predictable vulnerability advisory on the Full Disclosure mailing list details CVE- …

Silver badge

Re: I always wondered one thing

Even worse, the update for the vibrator with the update for the dishwasher.

0
0
Silver badge

Only South Africans will understand this :

Only Miele is Pi*l* for hack0rz

So doff... they should have hired a white hat to fiddle with its wobbly bits before unleashing it...

...and it serves them right.

0
1
Anonymous Coward

Miele Pap? That stiff porridge like substance that accompanies the boervors at a braaivleis.

0
0
Silver badge

Directory Traversal Bug

Used to have a washing machine that had a Kitchen Traversal Bug when on some cycles of its programme.

16
0
Silver badge

Ubiquity of general-purpose computers = ubiquity of general purpose security problems.

Things will only get worse as companies realise that it's cheaper to just put a Raspberry Pi in place of that specialist circuit board that controls everything, and then it's only one click from putting it on the net in the next model.

Seriously - look at the RPi zero boards with their wifi and GPIO. You're not telling me that making that old ancient washing machine control board is cheaper than that? Even the Arduino was a micro-controller really, but now it's just as cheap to deploy a full machine.

Economics of general-purpose computers that small, cheap, well-connected and powerful is going to be the end of any kind of sense in electronic devices. Prepare to see them in everything from phones and answering machines to clocks and radios.

1
0
Silver badge
Terminator

I suspect that a RaspberryPi would not be as tough as one of the specialist boards and would have a much shorter lifetime. On the other hand, if it lasts until a day or two after the warranty expires then that's great for the vendor.

0
0
Silver badge

Specialist boards vs RasPi

For stuff like dishwashers, you would not only need a processor, ROM and RAM, but also a power supply, relays (solid state, most likely nowadays), some kind of display, and a couple of connectors for the various sensors, and as much of that on a single board as possible for ease of assembly (=lower manufacturing costs). So it may have the guts of a Pi, but physically it won't be one.

0
0
Anonymous Coward

Re: Specialist boards vs RasPi

"[...] power supply, relays (solid state, most likely nowadays), some kind of display, and a couple of connectors for the various sensors, [...]"

When getting into Arduino programming last year - it was a surprise how many peripheral modules are now available at very low prices from China.

Only had one problem . A voltage up-converter that blew an electrolytic when it was first switched on. It was only rated at 35v - which was the nominal maximum output. Other suppliers' pictures of apparently the same board showed they used a more tolerant 50v capacitor.

Construction of 250v relay boards varies. Some have parts of the board removed to give better terminal insulation.

0
0
Silver badge

"I suspect that a RaspberryPi would not be as tough as one of the specialist boards and would have a much shorter lifetime."

You are correct. Mine has developed what seems to be a dry joint in the power connector.

The vibrations present in a washing machine or dishwasher weren't in its design spec.

0
0
Anonymous Coward

"[...] if it lasts until a day or two after the warranty expires then that's great for the vendor."

if it lasts until a day or two after the warranty expires then that's great for the vendor it's over-engineered.

FTFY

1
0
Anonymous Coward

"Appliance makers: stop trying to connect to the Internet, you're no good at it."

Appliance makers: But we all want to be Facebook / Google / Uber etc....Because making actual products is really hard work with low margins and no glorious advertising income...

3
0

This dishwasher is not an appliance, but a professional tool. This is a washer-disinfector for hospitals and labs, with options like barcode scanners and printers, and more. Connecting a professional dishwasher like this is far from useless, at least for remote maintenance and everything. Once again, this is Industrial IoT, not home automation.

Then, this makes the vulnerability even worse. Do we want to take risks with a disinfector that washes hospital equipment? No, and having a bug that brings us back to the 1990's and the early days of the Web shows how device vendors are playing catchup without realizing the investment required.

1
0

An example of a devastating exploit would be to wash everything at 20 degrees C but report out that it was washed at 200.

0
0
Silver badge
Facepalm

Not the vuln you are looking for

FTA

"And once they're in those directories, it's party time because they can insert their own code and tell the web server to execute it."

Just because you can read, doesn't mean you can write or execute anything. Embedded devices often have partitioned filesystems so you would have very limited access to anything more critical and a reboot would clear most issues too.

OK, basic security errors often go together because a programmer with no clue will be responsible, but that doesn't automatically mean that directory traversal leads to code injection.

3
0

Smart is the new dumb

I know my dishwasher is doing something because I stack it with plates, insert a tablet, physically start it and can hear it working until such time as its done, at which point it beeps.

Making the thing "smart" is just an excuse to charge a hundred quid more for a feature that does fuck all quite frankly.

IoT does have a lot of practical uses, but these "smart" appliances are not one of them. Just an excuse to part fools from some extra money.

2
0
Silver badge
Coat

The USP

Salesman: "You should buy this dishwasher sir."

Sir: "Why? What's so good about it?"

Salesman: "You can turn the dishwasher on from the office, or on your way home, using your mobile!"

Sir: ".... does it load the dishwasher from my phone?"

Salesman: "No sir, you'd have to load it manually."

Sir: "So why would I load the dishwasher manually, then walk away and turn it on from my phone while on the train? Surely I'd just turn it on once I've finished loading it?

Salesman: ".... have you ever thought about buying a Samsung Smart TV sir?"

5
1
Anonymous Coward

Re: The USP

[From recent experience] having the ability to remotely determine whether a dishwasher has been unloaded/load/run would be a significant USP if you have a teenage son at home who regularily "forgets" to do the smallnumber of jobs he's asked to do! If it incldues a security weakness that might be exploited to allow ability to affect devices on the same LAN (e.g. tunring off the Xbox) then that would be a double USP!

0
0
Silver badge

"It's unclear which libraries Miele used to craft the Web server, which means without a fix from the vendor – for a dishwasher – the best option is to make sure the appliance isn't exposed to the Internet."

No. That's the second best option. The best option is not to buy anything that's given a facility to connect to the internet that it doesn't need. A dishwasher doesn't need a facility to connect to the internet.

0
0
Coat

Miel web server?

C'est un honey trap.

2
0
Anonymous Coward

Shaving foam

Just wondering why the guy in the stock pic put shaving foam all over his dishwasher?

2
0

PG 8528 isn't really a 'dishwasher'

The PG 8528 isn't really a 'dishwasher', it's actually a laboratory glassware washer - as used in hospital laboratories etc.

See: http://www.miele-pro.com/us/prof/products/14071_16161.htm

I believe such laboratories have to keep records confirming that each item of glassware has been washed correctly, including confirmation that the water in the washer reached the correct temperature, and that the correct temperature was maintained for the correct period of time.

I think older washer models displayed this information on a screen, or printed out a slip of paper, which the operator had to copy/key in to the record keeping system. So the intention was to lessen the need for human intervention, and lessen the scope for human error.

3
0
Silver badge

Final point.

PLEEAAASEE!!!

you eeedjits.

Stop buying the "tablets". Which are power pressed lumps of the powder for which they are charging 3 times what they charge for the powder. I get 24-30 washes out of a $7.00 box of powder instead of paying $22.50 for a box of 28 tablets. It is becoming harder and harder to find the damned powder in boxes by itself.

2
1
Silver badge

"It is becoming harder and harder to find the damned powder in boxes by itself."

So why bother?

1. Place dirty dishes in dishwasher as usual (grime, goo and all).

2. Add about three drops of regular dish soap to your dishwasher's detergent cup.

3. Fill the cup 2/3 of the way with baking soda.

4. Add salt until the cup is nearly full. This is to suppress foaming.*

Run your dishwasher as normal.

* When my dishwasher foams there's nothing I can do but wait for her to calm down. But then I find her immensely more sexually attractive than the average dishwasher.

0
0
MJI
Silver badge

My internet enabled dishwasher

Is currently looking at new wood flooring.

I have to do two rooms and she is looking for the colour she wants.

1
0

I dunno, I can think of one time this would have been really handy - about 6 weeks ago my washer stopped working, it would work away for about 20 minutes and then just stop, with a single blinking red light. There's no LED display on most low-end dishwashers so no way to know what's wrong

Thought it was knackered and was pretty sure I'd need to replace it - I figured the element was gone or something - when I discovered (whilst doing something unrelated under the sink, which required me to unplug a bunch of pipes) that there was a big horrible ball of gunk stuck in the water outlet pipe of the washer and this was why the washer was failing. Once that was sorted, it's been fine since.

Would have been nice to have gotten a text or be able to log into some kind of "what is wrong with you" type webpage in the washer to see that the cycle was shutting down as it was unable to empty the water, I would have known right away what the problem was.

0
0
Anonymous Coward

The LED could have flashed in a sequence to identify the problem - like Dell laptops used to do. If it had a "finished" bleeper then that could do the same thing.

If there are too many possible fault messages - then it could use slow Morse Code.

2
0
Anonymous Coward

Actually....

I could think of a few reasons why Internet connection could be helpful in this case...for example:

Gathering information about how many times dishwasher is being used could lead to overview of how much water/ energy you are using over period of time. Eventually it could advice user on much he/she could save if the machine was used more efficiently (for example, fill it better before use...). It could advice you on usage of different programs, with aim to improve efficiency/ cost savings/ environment, components wear out, provide for maintenance advice etc.

Most of the people push the button ("highest cleaning settings") and forget about it. If the machine is broken, they simply replace it with new one and don't give it another thought (apart from complaining that everything used to be better "in the past").

Especially from the perspective of protecting the environment, this could prove positive (e.g. if dishwasher is properly maintained, the equipment lifetime could maybe double). Water could be saved by more efficient usage, etc.

I agree though that companies should think first, engineer and design responsibly (and demonstrate the added value); rather than adding features "without thinking"....(especially if they obviously lack appropriate ICT competence).

Though what is happening at the moment is that people buy an "intelligent device" because it is "cool" and have no idea why (and most of the time the functionality is half-baked and not working properly so they do not use it anyways). As well as the manufacturers don't care because if it works and if it works works well, they will end up selling less dishwashers in first place, or be "forced" to work on more environment friendly (read: more expensive) models.

Idea is thus good. Execution...not so much (across the board with the IoT devices for now).

0
0
Anonymous Coward

Re: Actually....

I tried all the settings on my new "eco" Siemens dishwasher. None of them can be relied upon to get the dishes clean every time. I suspect that the "eco" requirements of noise, water usage, and electricity took precedence over actually doing the job properly.

It is annoying that it only comes with a cold fill facility - so my more economic source of hot water can't be used.

1
0
Silver badge

Re: Actually....

Some of the eco washes can clean OK, but if you want to use them, need to intersperse with max hot washes, otherwise the low temperature washes allow some of the more thermophile bacteria / fungi to set up home in your dish washer, but a hot wash normally nobbles them (though also worth a proper cleaning / disinfecting op in dishwasher every now and again).

0
0
Silver badge

Internet connected dishwasher.

Don't forget to put salt in the passwords file.

6
0

Alphabet buys your dishwasher manufacturer

...then a year later bricks it because (1) it cbf supporting that buggy software, (2) not enough of your spending habits are revealed by your dirty dishes and (3) it can.

1
1

Response code - 418 I am a teapot?

There's a SOAP joke in there somewhere as well

1
0
Silver badge

Directory traversal attacks let miscreants access directories other than those needed by a web server. And once they're in those directories, it's party time because they can insert their own code and tell the web server to execute it.

* Reads it again... no, still wrong.

Directory traversal typically means read-only access. You need something very different to be broken or misconfigured before exteranl users can connect and upload arbitrary files which they can then execute. (If it's properly set up, the attacker can only execute code as the 'nobody' or 'apache' user, or similar restricted access / unprivileged account. Preferably in a chroot, jail, or similar segregated fake environment.

2
0
Silver badge
Facepalm

And read-only as the ID running the webserver...

...which should be apache, not root, and the apache ID shouldn't have permissions to read /etc/shadow. You have to change a lot of the out-of-the-box security settings to create such a vulnerability.

1
0
Anonymous Coward

Re: And read-only as the ID running the webserver...

Unless, of course, the files you can read give you the information you need to perform a privilege escalation that LETS you wreak havoc.

1
0

The closest I will get to an IoT washing machine thank you very much....

[o]

0
0
Silver badge

I'll rather get one from the Discworld, complete with nanny-demons to keep the cutlery and all that sparkling clean.

It just need a blue steak, some raw eggs, a brick of salt and a block of cheese once in a blue moon. (Hey, the nanny-demons gotta eat as well).

0
0

Still can't figure out why half of all Reg stories have comments apparently written by my grandad in the throes of complaining that things aren't what they used to be.

0
3

This post has been deleted by a moderator

Silver badge

"Nobody with a healthy brain would buy such focking washing machine with wireless/ethernet/whatever!"

Unless, of course, the ONLY choices of sustenance left available to you are manure, dung, and crap. What are you going to do if you're starving?

0
2

Re: The Need For Speed

I can see a lot of comments on here about Smart Meters going nowhere near their network. Smart Meters use ZigBee to communicate with the little in-house display gadgets and don't go anywhere near your home network to be fair. They use HAN/ZigBee to talk to other smart meter(s) nearby. The WAN side is over the mobile network for connectivity, so SmartMeter's are the exception to the IoT drama for now, although I believe they would like to tap into dishwashers/dryers/washing machines/fridges etc in the future via ZigBee and whatnot to utilise surplus energy.

0
0

Terminator XX - Rise of the IOT

I need your clothes, your boots and your washing liquid. And add in some softener too.

0
0
Silver badge

Update Patches...

Will they mirror that of certain printer manufacturers?

"Ah, I see you've used the wrong tablets, exceeded the duty cycle, etc. Your warranty is cancelled."

0
0

What the hell

Why on earth would I ever need a web freaking dish freaking washer? What's more, the day I have to install a firewall in front of my dishwasher, fridge or toilet is the day I reject and all technology.

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018