Don’t say you weren’t warned: Miele went full Internet-of-Things with a network-connected dishwasher, gave it a web server, and now finds itself on the wrong end of a security bug report – and it’s accused of ignoring the warning.
The utterly predictable vulnerability advisory on the Full Disclosure mailing list details CVE-2017-7240 – aka “Miele Professional PG 8528 – Web Server Directory Traversal.” This is the builtin web server that’s used to remotely control the glassware-cleaning machine from a browser.
“The corresponding embedded Web server ‘PST10 WebServer’ typically listens to port 80 and is prone to a directory traversal attack, therefore an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks,” reads the notice, dated Friday.
And because Miele is an appliance company and not a pure-play IT company, it doesn’t have a process for reporting or fixing security bugs. The researcher who noticed the dishwasher’s web server vuln – Jens Regel of German company Schneider-Wulf – complains that Miele never responded when he contacted the biz with his findings; he says his first contact was made in November 2016.
Appliance makers: stop trying to connect stuff to networks, you’re no good at it.
I would also add, regulators need to police this stuff, and civil liability law needs to be rewritten to ensure that the manufacturers, and perhaps senior management are explicitly liable for this crap, including punitively harsh mandatory penalties.
If copyright trolls can threaten 6 figure judgements against people’s kids who Bit Torrent a Nickelback song,* then these manufacturers need to face at least that much jeopardy.
*I will note, if your kids are downloading Nickelback, I do think that a visit from Child Protective Services (CPS) might be in order, because, well, it’s f%$#ing Nickelback.