SoylentNews is people
SoylentNews
A directory traversal bug has been found in a Miele dishwasher. This allows access to arbitrary files on the dishwasher's Web server from unauthenticated users. It has been questioned whether appliance makers should be the ones connecting things to networks, since their lack of experience means there isn't even an official channel to report or fix security bugs. Miele are yet to comment.
This discussion has been archived.
No new comments can be posted.
Dishwasher has Directory Traversal Bug
|
Log In/Create an Account
| Top
| 69 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
New crypt. See /usr/news/crypt.
(Score: 5, Insightful) by DannyB on Wednesday March 29 2017, @02:23PM (11 children)
The only way to fix this is to make IoT manufacturers liable for any damages caused by their devices getting hacked. That includes large botnets of their devices attacking something and causing serious and expensive damage.
Yes, really. Make the manufacturer liable.
When I buy a toaster, I expect that it will not burn my house down. When I buy an IoT device, I expect it won't get hacked and participate in a large botnet.
These devices could be be made orders of magnitude more secure if the manufacturer were willing to spend some more money on it. If all manufacturers had such liability, they might cooperate on best practices to make it easier for all of them to build more secure devices. If they think the costs of building in good security are too high for the potential market, then maybe they should reconsider whether this particular IoT device is actually needed or worth building.
The lower I set my standards the more accomplishments I have.
(Score: 0) by Anonymous Coward on Wednesday March 29 2017, @04:06PM (3 children)
Yes and maybe hire American engineers rather than cheap H1B visas educated in foreign degree mills and Chinese government agents.
(Score: 2) by DannyB on Wednesday March 29 2017, @06:06PM (2 children)
Yes. But that goes back to the deeper problem of being cheap and cutting corners. Putting liability upon the manufacturer for damages caused would suddenly give them an incentive not to do this and other cheap corner cutting. The broken economics of the damage cost is the basic problem. Put the cost of those damages where it belongs. Someone else's business should bear the cost of an attack caused by ten thousand borked webcams cheaply implemented with no security. Put that liability upon the manufacturer of those webcams. (Not the users of them, but the manufacturer.)
The lower I set my standards the more accomplishments I have.
(Score: 2) by kaszz on Thursday March 30 2017, @02:23PM (1 child)
The result is that lawyers make a profit and corporations with deep wallets will order laws that allow only them to continue to exploit others.
Investors and lawyers f-cked internet. Don't let them in, ever.
(Score: 2) by DannyB on Thursday March 30 2017, @03:49PM
You left out advertisers. And trolls.
The lower I set my standards the more accomplishments I have.
(Score: 2) by bob_super on Wednesday March 29 2017, @06:15PM (4 children)
These devices could be be made orders of magnitude more secure if the manufacturer were willing to spend some more money on it. If all manufacturers had such liability, they might cooperate on best practices to make it easier for all of them to build more secure devices. If they think the costs of building in good security are too high for the potential market, then maybe they should reconsider whether this particular IoT device is actually needed or worth building.
IoT gimmicks are a way to keep justifying higher prices, so shareholders don't get pissed.
Anything that's light and small is built in China, and heavy things are built closer with automation. Basic appliances are doing their job well enough, and prices of "good enough" are going down.
Security doesn't matter, and our lobbyists will not let anyone think that it should be.
We need to be able to advertise new features, and sell more expensive products, or the Almighty Growth is threatened.
(Score: 2) by DannyB on Wednesday March 29 2017, @07:29PM (3 children)
That is all fine and good as long as they can't shift the cost of major hacking attacks to the victims of those attacks. That's my rationale for why the liability should be upon the manufacturers. It might change their thinking about what keeps shareholders happy.
The lower I set my standards the more accomplishments I have.
(Score: 3, Insightful) by bob_super on Wednesday March 29 2017, @07:41PM (2 children)
My rationale being that the reasonable law you suggest would be a threat to manufacturers' bottom line.
That's the kind of things brib^W lobbying is there to prevent, comrade.
Manufacturers also will skip paying any tax, keep lobbying for smaller government, but rely on the NSA to protect the banks where they stash their bonuses, from their own products.
(Score: 2) by DannyB on Wednesday March 29 2017, @07:47PM (1 child)
The NSA may be one party that is quite happy about massive numbers of easily hackable IoT devices. They are beachheads into all kinds of networks.
The lower I set my standards the more accomplishments I have.
(Score: 2) by bob_super on Wednesday March 29 2017, @09:05PM
I believe the NSA prefers hard to hack devices, so they don't have to share the resource with script kiddies.
(Score: 0) by Anonymous Coward on Thursday March 30 2017, @06:21AM (1 child)
First my cynical comment: you're dreaming. You've forgotten who pays the lobbyists to overwhelm Congress.
Second, I'm 100% with you. In fact, if I was king (please elect me) all electronics would have a _minimum_ 10 year warranty. And I'm an EE. Software, maybe forever. I do sw eng too. I would much rather refine something, and only ship it when it's really well tested. Step back and look at what MS gets away with. And when they _STILL_ have not fixed all bugs, they're allowed to say "your OS is unsupported and dangerous- upgrade required". If I was king I would make them eat words like that- literally. In prison. Linux succeeds because refinement. Lots of testing. Cautious stable releases.
Among too many things I do, I also repair appliances. Only worked on 1 or 2 Miele thing but have heard they're difficult to get parts and service info.
(Score: 2) by kaszz on Thursday March 30 2017, @02:30PM
Demand that appliance manufacturers (or distributors) put drawings, schematic and the firmware source code in escrow. Once the manufacturer stops supplying spare parts or updated firmware regarding security. Then the escrow handler release it. Won't matter it they go bankrupt, become unreachable or just EOL. There will be a default rescue path.
Another added feature would be to bill for the additional e-waste whenever a product goes EOL.