Another ‘smart’ appliance has been found with serious security flaws by white hat hackers. This time around it’s a commercial washer-disinfector produced by Miele Professional, which connects to the Internet of Things, but allows anyone connecting to it to request any file from its web server.
The Miele Professional PG8528 is big dishwasher and disinfector that’s designed for cleaning restaurant dishes and/or medical apparatus. As with many contemporary appliances, Miele has made it connected. With a built-in RS232 serial connector and Ethernet cable, it can be hooked up to various other appliances and a local network for wider internet connectivity.
That’s great for smart functions, but when it has a poorly secured web server back-end, it means that the appliance could be hacked by anyone with a rudimentary understanding of security.
The flaw is because the PST10 webserver embedded in the machine, “typically listens to port 80 and is prone to a directory traversal attack.” That could theoretically allow an attacker to discover sensitive information about the local network or the organization managing it, thereby giving them a new attack vector in the future.
This bug was discovered by Jens Regel of Schneider & Wulf, who purportedly contacted Miele Professional about the problem in November last year. However after speaking with a security representative at the company, they received no response for several months. With that in mind, they have now made the flaw public, in the hope that the company does something about it.
At the time of writing, no official statement has been made by Miele Professional, and the full disclosure page for the bug suggests that there has been no fix for the security problem as of yet.
Unfortunately, this sort of exploit path using IoT devices is becoming far too common. While we might not go as hard on the acronyms as ZDnet, as it points out, with more and more device manufacturers looking to make their appliances smart without impacting the cost of the product too much, we could see many more of these kinds of bugs in the future. In turn, that could enable much more dangerous attack vectors.
Possibly complicating matters, the head of the FCC, Maureen Ohlhausen, recently stated that she would rather the IoT industry be self-regulated, rather than being obligated to respond to strict federal regulation. In the absence of responsible industry players, that could leave many consumers at risk of further attacks.
- Major security vulnerability could leave critical infrastructure defenseless
- Yes, China is probably watching us through our IoT devices
- Insulin pumps recalled for vulnerability; concerns raised over medical IoT hacks