SoylentNews is people
SoylentNews
A directory traversal bug has been found in a Miele dishwasher. This allows access to arbitrary files on the dishwasher's Web server from unauthenticated users. It has been questioned whether appliance makers should be the ones connecting things to networks, since their lack of experience means there isn't even an official channel to report or fix security bugs. Miele are yet to comment.
This discussion has been archived.
No new comments can be posted.
Dishwasher has Directory Traversal Bug
|
Log In/Create an Account
| Top
| 69 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
TOO BAD YOU CAN'T BUY a voodoo globe so that you could make the earth spin
real fast and freak everybody out.
-- Jack Handey, The New Mexican, 1988.
(Score: 3, Insightful) by AndyTheAbsurd on Wednesday March 29 2017, @11:48AM (8 children)
First of all, why does a dishwasher need a web browser? Someone needs to be physically present to load the damn thing, so although I can see a digital control panel to set a delay before start (which actually my current dishwasher has, although it only lets me select 2, 4, or 6 hours of delay), why not just have the person there loading it push the damn buttons?
Secondly: The exploit is for the web browser to read /etc/shadow... which should be owned by root:shadow, so reading it isn't be possible unless the web browser is running either as the root user or as a member of the shadow group. It's like these people haven't heard of the Unix permission model!
Please note my username before responding. You may have been trolled.
(Score: 1, Insightful) by Anonymous Coward on Wednesday March 29 2017, @01:03PM (1 child)
But... but... but... how am I suppose to check the status of my dishwasher when I'm at work or taking a dump (or both!). I need constant stream of notifications about every mundane thing in my life or I might cease to exist! I can't wait for the new twitter dishwasher that will allow me to tweet my dishwasher status to all my friends to fill the vacuous hole that is their pathetic lives!
(Score: 0) by Anonymous Coward on Wednesday March 29 2017, @07:04PM
lulz.'you' won't tweet anything, your dishwasher would.
(Score: 1) by mayo2y on Wednesday March 29 2017, @02:53PM
It may be useful for hardware manufacturer to receive diagnostic updates; they probably also find that aggregating usage data gives them important information.
I can see, as a homeowner, wanting to be able to access various devices remotely (locks, HVAC, lights, fridge, etc...)
As a privacy nerd I would want each device to speak directly to my approved network hub which then transmits approved information to the 3rd party in question. (As opposed to each company connecting on its own.)
(Score: 2) by JoeMerchant on Wednesday March 29 2017, @03:09PM
Engage with your dishwasher, set it to start after the room is vacated via IFTTT connection to a motion sensor. Check status of your dishwasher from the office. Monitor your water and energy consumption. The top of the line model probably has a webcam where you can watch the dishes while they wash. RFID tags on sensitive cookware can inform you when it has been improperly placed on the bottom rack.
Yeah, big BIG stretch, but all the cool appliance makers are getting in on the IoT thing, cannot allow Miele to look like an ignorant old buggy-whip company, can we?
🌻🌻 [google.com]
(Score: 3, Interesting) by VLM on Wednesday March 29 2017, @03:42PM
With enough teenagers you'll get a gross backlog of dishes and if you know when its done you can immediately begin the next batch process.
I have openhab set up at home with working insteon bindings and I'm fooling with zwave bindings.
openhab, especially v2.0 is painful. The devs are all windows people writing windows philosophy software that gets wedged into linux on the pi. On the other hand misterhouse is, if not dead, not so lively as it was 15 years ago. So I'm slowly forklift upgrading.
For $25 aeontec or one of those places sells a clamp on AC ammeter and I'm gonna measure the current into my clothes dryer, washer, and dishwasher and do the obvious with TTS.
Home automation is much like Linux was in the early 90s. You can't buy stuff and see how it works, you must research what works, then buy stuff accordingly. So I have a perfectly good zwave binding to a gen5 stick and it works BUT I need to make sure that specific model of AC ammeter works before buying a couple. In that way nothing has changed or improved in home automation from 15-20 years ago. I will say zwave, when it works, is much less of a PITA than insteon or old fashioned X-10.
Clamp on ammeters have the virtue of usually not bursting into flame or causing connection problems like shunts can and the isolation from high voltage is nice for fooling around but mechanically and physically they're a bit of a PITA so I don't care for that.
Things get weird with smart appliances. My clothes dryer shuts off when the exhaust humidity drops indicating most of the water is gone then it goes into a cooldown cycle. I've seen ridiculously over packed dryer take almost an hour to dry. I've got the high efficiency top loader so the clothes get spun at like 3600 RPM and come out slightly damp so sometimes the dryer only runs 30 minutes. The washer seems possessed and all thats certain is it takes less than 3 hours per filling. Its not as simple as setting a timer.
I already do stuff like detect presence based on network devices on my wifi and then abuse the temperature setpoints of my thermostat. If nobody is home the HVAC is mostly off. It doesn't save much if any money due to weird overlapping schedules. My house was completely empty for only 10 hours last week, according to the computer.
(Score: 2) by EvilSS on Wednesday March 29 2017, @03:45PM
Not saying that it's not a problem and needs to be fixed, but the author of that article really click-baited it up to make it look like a consumer IoT issue. In the original bug report it is not called a dishwasher.
(Score: 3, Funny) by Azuma Hazuki on Wednesday March 29 2017, @03:59PM (1 child)
This is a secret plan by Dr. Wily and the WWW to infiltrate all of networked society and destroy the world. Luckily I know exactly how to deal with this little pest: Bubbleman.exe hides behind a rock, but if you can break it and area-lock him with a couple of AreaGrab or MetaGel1 chips he's a sitting duck. Just get right up in his face and unload any sword-type chips you've got. It's even better if you have an Elec style on as your charge shot will stunlock him!
I am "that girl" your mother warned you about...
(Score: 2) by AndyTheAbsurd on Thursday March 30 2017, @12:05PM
This may be the best reply to any SN or /. comment that I have ever received...
Please note my username before responding. You may have been trolled.