Dishwasher has directory traversal bug

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Thanks a Miele-on for making everything dangerous, Internet of things security slackers

Don't say you weren't warned: Miele went full Internet-of-Things with a dishwasher, gave it a web server and now finds itself on the wrong end of a bug report and it's accused of ignoring.

The utterly predictable bug report at Full Disclosure details CVE-2017-7240, “Miele Professional PG 8528 - Web Server Directory Traversal”.

“The corresponding embedded Web server 'PST10 WebServer' typically listens to port 80 and is prone to a directory traversal attack, therefore an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks.”

Proving it for yourself is simple: GET /../../../../../../../../../../../../etc/shadow HTTP/1.1 to whatever IP the dishwasher has on the LAN.

Directory traversal attacks let miscreants access directories other than those needed by a web server. And once they're in those directories, it's party time because they can insert their own code and tell the web server to execute it.

It's unclear which libraries Miele used to craft the Web server, which means without a fix from the vendor – for a dishwasher – the best option is to make sure the appliance isn't exposed to the Internet.

And because Miele is an appliance company and not a pure-play IT company, it doesn't have a process for reporting or fixing bugs.

The researcher that noticed the dishwasher's Web server (please, readers, ponder those three words in succession and tell us they don't make you want to grab pitchforks), Jens Regel of German company Schneider-Wulf, complains that Miele never responded to his notification, first made in November 2016.

Appliance makers: stop trying to connect to the Internet, you're no good at it.

 
Last edited by a moderator:

Andytay70

Level 15
Verified
Top Poster
Well-known
Jul 6, 2015
737
Strange.....
Why would you want to connect a dishwasher to the internet?
This IOT thing is getting out of hand, Next it will be electric tooth brushes with a mind of their own!!
 
  • Like
Reactions: Winter Soldier

Amelith Nargothrond

Level 12
Verified
Top Poster
Well-known
Mar 22, 2017
587
Thanks a Miele-on for making everything dangerous, Internet of things security slackers

Don't say you weren't warned: Miele went full Internet-of-Things with a dishwasher, gave it a web server and now finds itself on the wrong end of a bug report and it's accused of ignoring.

The utterly predictable bug report at Full Disclosure details CVE-2017-7240, “Miele Professional PG 8528 - Web Server Directory Traversal”.

“The corresponding embedded Web server 'PST10 WebServer' typically listens to port 80 and is prone to a directory traversal attack, therefore an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks.”

Proving it for yourself is simple: GET /../../../../../../../../../../../../etc/shadow HTTP/1.1 to whatever IP the dishwasher has on the LAN.

Directory traversal attacks let miscreants access directories other than those needed by a web server. And once they're in those directories, it's party time because they can insert their own code and tell the web server to execute it.

It's unclear which libraries Miele used to craft the Web server, which means without a fix from the vendor – for a dishwasher – the best option is to make sure the appliance isn't exposed to the Internet.

And because Miele is an appliance company and not a pure-play IT company, it doesn't have a process for reporting or fixing bugs.

The researcher that noticed the dishwasher's Web server (please, readers, ponder those three words in succession and tell us they don't make you want to grab pitchforks), Jens Regel of German company Schneider-Wulf, complains that Miele never responded to his notification, first made in November 2016.

Appliance makers: stop trying to connect to the Internet, you're no good at it.

Marketing. It's very difficult to fight this kind of marketing, because people like these fancy sci-fi kitchen gadgets and are supporting the makers by buying them, which will keep on producing them. But i'm almost sure once these companies (actually their clients) are going to get hit by some massive attack, they'll revise their IT infrastructure and long term business strategy. I say: better hire experts, listen to them, do what they say and then keep on producing them, it's best for everybody.
 
  • Like
Reactions: Winter Soldier

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top