SoylentNews is people
SoylentNews
A directory traversal bug has been found in a Miele dishwasher. This allows access to arbitrary files on the dishwasher's Web server from unauthenticated users. It has been questioned whether appliance makers should be the ones connecting things to networks, since their lack of experience means there isn't even an official channel to report or fix security bugs. Miele are yet to comment.
This discussion has been archived.
No new comments can be posted.
Dishwasher has Directory Traversal Bug
|
Log In/Create an Account
| Top
| 69 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
(1)
(Score: 5, Insightful) by Snotnose on Wednesday March 29 2017, @11:42AM (19 children)
Why the hell does a dishwasher need a web server in it?
I came. I saw. I forgot why I came.
(Score: 0) by Anonymous Coward on Wednesday March 29 2017, @12:07PM
Solution: replace Web server with Wet server.
Not only it makes more sense for a washer machine, but also eliminates the directories to transverse.
(Score: 2) by wisnoskij on Wednesday March 29 2017, @01:07PM
It is marketed to politicians, who might want to acid wash they server on a moments notice.
(Score: 1) by moondoctor on Wednesday March 29 2017, @01:39PM
Hospitals. Everything needs to be logged.
In a properly functioning organisation procurement should have assessed it's security and not approved purchase.
We're a long way from that universe...
(Score: 0) by Anonymous Coward on Wednesday March 29 2017, @02:01PM (5 children)
Didn't you get the memo? It's the Internet of Things. Adding web servers to appliances is like building bypasses: You just have to do it.
(Score: 3, Funny) by Anonymous Coward on Wednesday March 29 2017, @02:26PM (1 child)
"Didn't you get the memo? It's the Internet of Things."
As someone on HN put it, the "S" in IoT stands for "Security".
(Score: 0) by Anonymous Coward on Thursday March 30 2017, @04:17AM
As someone on HN put it, the "S" in IoT stands for "Security".
In the acronym IoS, the "S" most definitely doesn't stand for "Security".
(Score: 0) by Anonymous Coward on Wednesday March 29 2017, @03:20PM (2 children)
I'm not sure I got the memo. I've implemented RFC 2324 and 7168 at home, but I was stumped when the roommate wanted a dishwasher. Which RFC should I use? Is it up to us Soylentils to propose one?
(Score: 0) by Anonymous Coward on Wednesday March 29 2017, @07:00PM (1 child)
The correct answer is, no. We can't perpetuate the stupidity that is 'because we can'. we already suffer for the complete lack of wisdom dealing with our current level of technological 'progress'.
(Score: 0) by Anonymous Coward on Wednesday March 29 2017, @07:44PM
Well you're no fun. :(
(Score: 5, Funny) by Azuma Hazuki on Wednesday March 29 2017, @03:56PM
Obviously because it needs to serve SOAP content :D
I am "that girl" your mother warned you about...
(Score: 0) by Anonymous Coward on Wednesday March 29 2017, @04:04PM (2 children)
Many reasons, lets say you want to start your dishwasher remotely as you forgot to before you went to work.
(Score: 0) by Anonymous Coward on Wednesday March 29 2017, @08:03PM
Also for when you want to stop your dishwasher mid-cycle while you're out jogging.
(Score: 0) by Anonymous Coward on Wednesday March 29 2017, @08:13PM
Also to give notification beeps to tell me "CYCLE HAS FINISHED" every 15 seconds, non-stop, day and night, anywhere in the world - until I go to it and manually turn it off. Yes sir, right away sir.
(Score: 1, Funny) by Anonymous Coward on Wednesday March 29 2017, @06:17PM (1 child)
Same reason God needs a spaceship.
Actually, somebody told a rookie developer they need to "scrub inputs", and they took it literally.
(Score: 0) by Anonymous Coward on Wednesday March 29 2017, @07:02PM
To escape imprisonment?
(Score: 2, Informative) by Soylentbob on Wednesday March 29 2017, @07:26PM (2 children)
Ok, there were already enough funny answers, I'll try a halfway serious one:
Besides the normal soap (tab or powder), the dishwashers I know also have compartments for special salt and rinse aid. These are not filled for each use, and an app could inform the user if a re-fill is required. Also an app could show, how long the dishwasher still needs (e.g. when going shopping / planning the day), or how long since it is done (e.g. for people who don't want to open it right away, to give it some more time to dry).
I'm not saying I'd want these features, but they are the least useless features I could think of in this context.
(Score: 0) by Anonymous Coward on Wednesday March 29 2017, @08:07PM
I would like if they could hook it up to a rep in Bangalore so I could ask them why it managed to clean some cups so well but failed to clean some other cups at all. That has always been a mystery to me.
(Score: 1) by Soylentbob on Wednesday March 29 2017, @08:48PM
Oh, and as others mentioned elsewhere, this was not a dishwasher, but a lab cleaning device. So, temperature and other measures and also timing- and availability - information might be more relevant.
(Score: 2) by davester666 on Thursday March 30 2017, @05:27AM
It means they don't have to put any physical buttons or lights on it. You load it up, close the door, then use the app to give it the settings you want to use.
Then it gives you a notification when it's done on your phone.
(Score: 5, Informative) by lgsoynews on Wednesday March 29 2017, @11:47AM (5 children)
Some of the original reports were wrong, it's not a household dishwasher: it's a Disinfector Washer, something that is used in hospitals.
Which makes the bug even worse: you don't want another easy hacking target in your hospital.
And the justification for the embedded webserver is BS in my opinion...
(Score: 2) by donkeyhotay on Wednesday March 29 2017, @02:18PM (4 children)
Thanks for clarifying that, because I was about to go off on the absurdity of having a web-enabled dishwasher.
(Score: 0) by Anonymous Coward on Wednesday March 29 2017, @04:29PM (3 children)
I assume you were going to type it using the microwave, right?
---
sent from my vacuum cleaner
(Score: 3, Informative) by bob_super on Wednesday March 29 2017, @05:08PM (2 children)
Gotta type on the toaster these days, because the microwave is being upgraded to a 4K camera.
(Score: 0) by Anonymous Coward on Wednesday March 29 2017, @06:19PM (1 child)
I thought the bow-tie was really a camera, not the microwave.
(Score: 2) by bob_super on Wednesday March 29 2017, @06:56PM
In case you actually missed it:
http://www.latimes.com/politics/washington/la-na-essential-washington-updates-more-than-just-spying-microwaves-why-1489416182-htmlstory.html [latimes.com]
(Score: 3, Insightful) by AndyTheAbsurd on Wednesday March 29 2017, @11:48AM (8 children)
First of all, why does a dishwasher need a web browser? Someone needs to be physically present to load the damn thing, so although I can see a digital control panel to set a delay before start (which actually my current dishwasher has, although it only lets me select 2, 4, or 6 hours of delay), why not just have the person there loading it push the damn buttons?
Secondly: The exploit is for the web browser to read /etc/shadow... which should be owned by root:shadow, so reading it isn't be possible unless the web browser is running either as the root user or as a member of the shadow group. It's like these people haven't heard of the Unix permission model!
Please note my username before responding. You may have been trolled.
(Score: 1, Insightful) by Anonymous Coward on Wednesday March 29 2017, @01:03PM (1 child)
But... but... but... how am I suppose to check the status of my dishwasher when I'm at work or taking a dump (or both!). I need constant stream of notifications about every mundane thing in my life or I might cease to exist! I can't wait for the new twitter dishwasher that will allow me to tweet my dishwasher status to all my friends to fill the vacuous hole that is their pathetic lives!
(Score: 0) by Anonymous Coward on Wednesday March 29 2017, @07:04PM
lulz.'you' won't tweet anything, your dishwasher would.
(Score: 1) by mayo2y on Wednesday March 29 2017, @02:53PM
It may be useful for hardware manufacturer to receive diagnostic updates; they probably also find that aggregating usage data gives them important information.
I can see, as a homeowner, wanting to be able to access various devices remotely (locks, HVAC, lights, fridge, etc...)
As a privacy nerd I would want each device to speak directly to my approved network hub which then transmits approved information to the 3rd party in question. (As opposed to each company connecting on its own.)
(Score: 2) by JoeMerchant on Wednesday March 29 2017, @03:09PM
Engage with your dishwasher, set it to start after the room is vacated via IFTTT connection to a motion sensor. Check status of your dishwasher from the office. Monitor your water and energy consumption. The top of the line model probably has a webcam where you can watch the dishes while they wash. RFID tags on sensitive cookware can inform you when it has been improperly placed on the bottom rack.
Yeah, big BIG stretch, but all the cool appliance makers are getting in on the IoT thing, cannot allow Miele to look like an ignorant old buggy-whip company, can we?
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 3, Interesting) by VLM on Wednesday March 29 2017, @03:42PM
With enough teenagers you'll get a gross backlog of dishes and if you know when its done you can immediately begin the next batch process.
I have openhab set up at home with working insteon bindings and I'm fooling with zwave bindings.
openhab, especially v2.0 is painful. The devs are all windows people writing windows philosophy software that gets wedged into linux on the pi. On the other hand misterhouse is, if not dead, not so lively as it was 15 years ago. So I'm slowly forklift upgrading.
For $25 aeontec or one of those places sells a clamp on AC ammeter and I'm gonna measure the current into my clothes dryer, washer, and dishwasher and do the obvious with TTS.
Home automation is much like Linux was in the early 90s. You can't buy stuff and see how it works, you must research what works, then buy stuff accordingly. So I have a perfectly good zwave binding to a gen5 stick and it works BUT I need to make sure that specific model of AC ammeter works before buying a couple. In that way nothing has changed or improved in home automation from 15-20 years ago. I will say zwave, when it works, is much less of a PITA than insteon or old fashioned X-10.
Clamp on ammeters have the virtue of usually not bursting into flame or causing connection problems like shunts can and the isolation from high voltage is nice for fooling around but mechanically and physically they're a bit of a PITA so I don't care for that.
Things get weird with smart appliances. My clothes dryer shuts off when the exhaust humidity drops indicating most of the water is gone then it goes into a cooldown cycle. I've seen ridiculously over packed dryer take almost an hour to dry. I've got the high efficiency top loader so the clothes get spun at like 3600 RPM and come out slightly damp so sometimes the dryer only runs 30 minutes. The washer seems possessed and all thats certain is it takes less than 3 hours per filling. Its not as simple as setting a timer.
I already do stuff like detect presence based on network devices on my wifi and then abuse the temperature setpoints of my thermostat. If nobody is home the HVAC is mostly off. It doesn't save much if any money due to weird overlapping schedules. My house was completely empty for only 10 hours last week, according to the computer.
(Score: 2) by EvilSS on Wednesday March 29 2017, @03:45PM
Not saying that it's not a problem and needs to be fixed, but the author of that article really click-baited it up to make it look like a consumer IoT issue. In the original bug report it is not called a dishwasher.
(Score: 3, Funny) by Azuma Hazuki on Wednesday March 29 2017, @03:59PM (1 child)
This is a secret plan by Dr. Wily and the WWW to infiltrate all of networked society and destroy the world. Luckily I know exactly how to deal with this little pest: Bubbleman.exe hides behind a rock, but if you can break it and area-lock him with a couple of AreaGrab or MetaGel1 chips he's a sitting duck. Just get right up in his face and unload any sword-type chips you've got. It's even better if you have an Elec style on as your charge shot will stunlock him!
I am "that girl" your mother warned you about...
(Score: 2) by AndyTheAbsurd on Thursday March 30 2017, @12:05PM
This may be the best reply to any SN or /. comment that I have ever received...
Please note my username before responding. You may have been trolled.
(Score: 3, Insightful) by VLM on Wednesday March 29 2017, @12:25PM (5 children)
since their lack of experience
Its a good example of being way outside area of expertise as Miele has a generally good reputation aside from webservers.
I would imagine if Nginx Inc tried to make a dishwasher it wouldn't turn out very well either.
(Score: 2) by Arik on Wednesday March 29 2017, @02:01PM (4 children)
If laughter is the best medicine, who are the best doctors?
(Score: 2) by DECbot on Wednesday March 29 2017, @02:30PM (3 children)
My boss's son can fix his own dishwasher. Perhaps he can help you design one.
cats~$ sudo chown -R us /home/base
(Score: 3, Funny) by VLM on Wednesday March 29 2017, @03:17PM (2 children)
You have to be willing to move fast and break things in this internet economy. I suggest the dishwasher sprayer arm have a 25 HP motor, what could possibly go wrong?
(Score: 0) by Anonymous Coward on Wednesday March 29 2017, @03:28PM (1 child)
I think a dishwasher that breaks things will not be well-received.
(Score: 1) by Soylentbob on Wednesday March 29 2017, @07:32PM
It might be, by the bone china industry...
(Score: 3, Insightful) by Justin Case on Wednesday March 29 2017, @01:47PM (5 children)
How long before we can get it legalized to line up the developers of this garbage and smack them upside the head with cluebats?
Really, it is as if nothing whatsoever is being learned since about the time of Netscape Navigator 1.0. We still have the same stupid mistakes being made over and over and over and over and over and ...
Very Bad Ideas are called out right at the initial design phase and yet the idiots plow ahead, willfully(?) oblivious. It is past time for some major attention-getting consequences.
(Score: 0) by Anonymous Coward on Wednesday March 29 2017, @02:48PM
It's institutionalized. Really.
In my company, a well known Technology company (but not one of the A-list like Amazon, Google, etc.), we have leaders who just don't understand technology. They have technology backgrounds, but when it comes to making technology-based decisions, they are clueless. This leads to them hiring/promoting other leaders who are equally clueless. And on down the line to developers who can code, but don't think about why/how they are coding. All the good people give up and leave (or vest in peace). Trying to get people to think about security is hard. Trying to get them to understand scale and complexity is hard. It's depressing how many people don't know what Big-O is...
If you want to fix a company, start at the top. The developers are not the root cause of the problem. They may need to go eventually as well, but not first.
(Score: 2) by JoeMerchant on Wednesday March 29 2017, @03:21PM
There's an ISO standard, or ten, in development for that.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 1, Insightful) by Anonymous Coward on Wednesday March 29 2017, @07:08PM (2 children)
there seems to be some confusion by you techies. making money is the primary goal. not wise use of technology. not security. when you finally accept the reality, you'll find your career in IT is as pointless as chasing the american dream.
(Score: 0) by Anonymous Coward on Thursday March 30 2017, @05:07AM
There is no pride in your product these days--only net profit matters.
In the race to the bottom that is late stage, global capitalism, only by making ever shoddier goods (no corner to cheap to cut) can you keep profits growing.
(Score: 2) by kaszz on Thursday March 30 2017, @02:20PM
That's why products like cars and medicine is guarded by laws. Such that reckless entities get whipped by the law. Making a profit is alright, externalizing costs ain't.
(Score: 5, Insightful) by DannyB on Wednesday March 29 2017, @02:23PM (11 children)
The only way to fix this is to make IoT manufacturers liable for any damages caused by their devices getting hacked. That includes large botnets of their devices attacking something and causing serious and expensive damage.
Yes, really. Make the manufacturer liable.
When I buy a toaster, I expect that it will not burn my house down. When I buy an IoT device, I expect it won't get hacked and participate in a large botnet.
These devices could be be made orders of magnitude more secure if the manufacturer were willing to spend some more money on it. If all manufacturers had such liability, they might cooperate on best practices to make it easier for all of them to build more secure devices. If they think the costs of building in good security are too high for the potential market, then maybe they should reconsider whether this particular IoT device is actually needed or worth building.
Young people won't believe you if you say you used to get Netflix by US Postal Mail.
(Score: 0) by Anonymous Coward on Wednesday March 29 2017, @04:06PM (3 children)
Yes and maybe hire American engineers rather than cheap H1B visas educated in foreign degree mills and Chinese government agents.
(Score: 2) by DannyB on Wednesday March 29 2017, @06:06PM (2 children)
Yes. But that goes back to the deeper problem of being cheap and cutting corners. Putting liability upon the manufacturer for damages caused would suddenly give them an incentive not to do this and other cheap corner cutting. The broken economics of the damage cost is the basic problem. Put the cost of those damages where it belongs. Someone else's business should bear the cost of an attack caused by ten thousand borked webcams cheaply implemented with no security. Put that liability upon the manufacturer of those webcams. (Not the users of them, but the manufacturer.)
Young people won't believe you if you say you used to get Netflix by US Postal Mail.
(Score: 2) by kaszz on Thursday March 30 2017, @02:23PM (1 child)
The result is that lawyers make a profit and corporations with deep wallets will order laws that allow only them to continue to exploit others.
Investors and lawyers f-cked internet. Don't let them in, ever.
(Score: 2) by DannyB on Thursday March 30 2017, @03:49PM
You left out advertisers. And trolls.
Young people won't believe you if you say you used to get Netflix by US Postal Mail.
(Score: 2) by bob_super on Wednesday March 29 2017, @06:15PM (4 children)
These devices could be be made orders of magnitude more secure if the manufacturer were willing to spend some more money on it. If all manufacturers had such liability, they might cooperate on best practices to make it easier for all of them to build more secure devices. If they think the costs of building in good security are too high for the potential market, then maybe they should reconsider whether this particular IoT device is actually needed or worth building.
IoT gimmicks are a way to keep justifying higher prices, so shareholders don't get pissed.
Anything that's light and small is built in China, and heavy things are built closer with automation. Basic appliances are doing their job well enough, and prices of "good enough" are going down.
Security doesn't matter, and our lobbyists will not let anyone think that it should be.
We need to be able to advertise new features, and sell more expensive products, or the Almighty Growth is threatened.
(Score: 2) by DannyB on Wednesday March 29 2017, @07:29PM (3 children)
That is all fine and good as long as they can't shift the cost of major hacking attacks to the victims of those attacks. That's my rationale for why the liability should be upon the manufacturers. It might change their thinking about what keeps shareholders happy.
Young people won't believe you if you say you used to get Netflix by US Postal Mail.
(Score: 3, Insightful) by bob_super on Wednesday March 29 2017, @07:41PM (2 children)
My rationale being that the reasonable law you suggest would be a threat to manufacturers' bottom line.
That's the kind of things brib^W lobbying is there to prevent, comrade.
Manufacturers also will skip paying any tax, keep lobbying for smaller government, but rely on the NSA to protect the banks where they stash their bonuses, from their own products.
(Score: 2) by DannyB on Wednesday March 29 2017, @07:47PM (1 child)
The NSA may be one party that is quite happy about massive numbers of easily hackable IoT devices. They are beachheads into all kinds of networks.
Young people won't believe you if you say you used to get Netflix by US Postal Mail.
(Score: 2) by bob_super on Wednesday March 29 2017, @09:05PM
I believe the NSA prefers hard to hack devices, so they don't have to share the resource with script kiddies.
(Score: 0) by Anonymous Coward on Thursday March 30 2017, @06:21AM (1 child)
First my cynical comment: you're dreaming. You've forgotten who pays the lobbyists to overwhelm Congress.
Second, I'm 100% with you. In fact, if I was king (please elect me) all electronics would have a _minimum_ 10 year warranty. And I'm an EE. Software, maybe forever. I do sw eng too. I would much rather refine something, and only ship it when it's really well tested. Step back and look at what MS gets away with. And when they _STILL_ have not fixed all bugs, they're allowed to say "your OS is unsupported and dangerous- upgrade required". If I was king I would make them eat words like that- literally. In prison. Linux succeeds because refinement. Lots of testing. Cautious stable releases.
Among too many things I do, I also repair appliances. Only worked on 1 or 2 Miele thing but have heard they're difficult to get parts and service info.
(Score: 2) by kaszz on Thursday March 30 2017, @02:30PM
Demand that appliance manufacturers (or distributors) put drawings, schematic and the firmware source code in escrow. Once the manufacturer stops supplying spare parts or updated firmware regarding security. Then the escrow handler release it. Won't matter it they go bankrupt, become unreachable or just EOL. There will be a default rescue path.
Another added feature would be to bill for the additional e-waste whenever a product goes EOL.
(Score: 1, Insightful) by Anonymous Coward on Wednesday March 29 2017, @02:41PM (1 child)
1) Security through making it so easy that a hacker would be embarrassed to use the mode
2) Letting the folks in the field to the regression testing
3) Not so much
(Score: 0) by Anonymous Coward on Thursday March 30 2017, @10:49AM
Probably something along the lines of "If we make it a IoT device we get a whole new patent out of it".
(Score: 3, Interesting) by HiThere on Wednesday March 29 2017, @03:25PM (1 child)
Which brings to might the question, is the current DDOS of the US net based around IOT devices? I've speculated that it is, but I don't have any real information about it, except that certain sites haven't been accessible for several days. (One of which is my e-mail server.) I wasn't even sure it was a DDOS until I did a google search last night, and found one reported under "internet problems". Seems like the East Coast of the US has a LOT of problems right now.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 3, Funny) by captain normal on Wednesday March 29 2017, @04:13PM
Trump is loading it down with all his tweeting. :-)
"It is easier to fool someone than it is to convince them that they have been fooled" Mark Twain
(Score: 2) by wonkey_monkey on Wednesday March 29 2017, @07:17PM
Dishwasher has Directory Traversal Bug
Ugh. Why do open source software writers insist on giving their software completely meaningless names? It makes it so hard to-
A directory traversal bug has been found in a Miele dishwasher.
Oh. An actual dishwasher. Sheesh. An industrial one, but still...
systemd is Roko's Basilisk
(Score: 2) by inertnet on Wednesday March 29 2017, @07:38PM (1 child)
Skynet has just been renamed to IOTnet.
And there's nothing we can do about it.
(Score: 0) by Anonymous Coward on Wednesday March 29 2017, @07:54PM
Just as long as they finally get around to making a 3rd movie. That fanfic about "Genisys" had some decent ideas like Skynet being an Appy App but I think it was written by SquirrelKing or something. Maybe if they have John Henry going back in time to form the Botnet of Things so they can include T:SCC as well.
(Score: 2) by jmorris on Wednesday March 29 2017, @10:15PM (1 child)
Stop bitching about IoT and do something about it. Do not buy it, we are all early adopters so provide proper leadership and do not buy any of it under the current broken and one sided system.
Insist on some sane ground rules before even considering buying any of this crap.
1. If it depends on the vendor's website, the vendor must promise, in writing and backed by a bond, that the website will be maintained for at least ten years beyond the last non-clearance sale of the product. If it tied to an app it must be maintained, including porting it to new platforms that rise to 10% or more market penetration, for the same period. Or the protocol can be fully documented in sufficient detail to permit anyone with normal skill to develop one themselves.
2. If the software installed is locked down so that it can't be patched by the owner, security updates must be provided for the same ten year period OR the locks released and the same board support package used for the original development made available to all registered customers at no cost. GPL preferred of course but even if closed, customers must get a copy at zero cost if the product is abandoned.
(Score: 2) by kaszz on Thursday March 30 2017, @02:33PM
I doubt your points will happen anytime soon.
But practically one can always tell the seller "full docs or no deal". Or make sure one can hack it oneself with proper firmware.
(Score: 2) by kaszz on Thursday March 30 2017, @02:43PM
A dishwasher from Miele [wikipedia.org], model PG 8528 [miele-pro.com] have a gaping security hole [theregister.co.uk] in the form of not protecting against directory traversal that will deliver the /etc/shadow password file to anyone with connectivity and IP. The device also features five RS-232 interfaces and is designed for restaurants and bars. Miele has ignored contacts made on the issue since November 2016.
There are some Miele fridge and freezers that uses the same circuit board and they send out a email when the door has been open for more than 15 minutes or if the machine is unable to cool properly.* [hackaday.com] Some models Miele washing machines for clothes features a infrared connection that makes it possible to reprogram them.
A personal reflection is that IoT security is a joke [hackaday.com]. However unlike The Register newspaper that suggests "Appliance makers: stop trying to connect stuff to networks, you're no good at it.". Perhaps it's better to offer stable software interfaces designed to be read by other machines which eliminates the html-webserver and keep all connectivity in-house, oh and let the wireless swamp be tin foiled. So in the company of barbie listening spy toy, car killer [wikipedia.org], conspiring toaster, password fetching kettle [theregister.co.uk], bugged rifle, oogling thermostat, hackglitch bulb, door opener for anyone, one can ask the television set.. tv-tv-on the wall who's looking at me now? :-)
Unplug, tinfoil wrap, firewall and audit [owasp.org] all that Internet-of-Trouble.
(submitted earlier as a main page post)