Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 15 submissions in the queue.

Dishwasher has Directory Traversal Bug

posted by on Wednesday March 29 2017, @11:28AM   Printer-friendly
from the let's-make-the-Internet-squeaky-clean dept.

davidjohnpaul writes:

A directory traversal bug has been found in a Miele dishwasher. This allows access to arbitrary files on the dishwasher's Web server from unauthenticated users. It has been questioned whether appliance makers should be the ones connecting things to networks, since their lack of experience means there isn't even an official channel to report or fix security bugs. Miele are yet to comment.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Dishwasher has Directory Traversal Bug | Log In/Create an Account | Top | 69 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by kaszz on Thursday March 30 2017, @02:43PM

    by kaszz (4211) on Thursday March 30 2017, @02:43PM (#486477) Journal

    A dishwasher from Miele [wikipedia.org], model PG 8528 [miele-pro.com] have a gaping security hole [theregister.co.uk] in the form of not protecting against directory traversal that will deliver the /etc/shadow password file to anyone with connectivity and IP. The device also features five RS-232 interfaces and is designed for restaurants and bars. Miele has ignored contacts made on the issue since November 2016.

    There are some Miele fridge and freezers that uses the same circuit board and they send out a email when the door has been open for more than 15 minutes or if the machine is unable to cool properly.* [hackaday.com] Some models Miele washing machines for clothes features a infrared connection that makes it possible to reprogram them.

    A personal reflection is that IoT security is a joke [hackaday.com]. However unlike The Register newspaper that suggests "Appliance makers: stop trying to connect stuff to networks, you're no good at it.". Perhaps it's better to offer stable software interfaces designed to be read by other machines which eliminates the html-webserver and keep all connectivity in-house, oh and let the wireless swamp be tin foiled. So in the company of barbie listening spy toy, car killer [wikipedia.org], conspiring toaster, password fetching kettle [theregister.co.uk], bugged rifle, oogling thermostat, hackglitch bulb, door opener for anyone, one can ask the television set.. tv-tv-on the wall who's looking at me now? :-)

    Unplug, tinfoil wrap, firewall and audit [owasp.org] all that Internet-of-Trouble.

    (submitted earlier as a main page post)

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2