{"id":180506,"date":"2017-03-29T17:32:00","date_gmt":"2017-03-29T22:32:00","guid":{"rendered":"https:\/\/www.panix.com\/~msaroff\/40years\/2017\/03\/29\/more-news-from-the-internet-of-things\/"},"modified":"2017-03-29T17:32:00","modified_gmt":"2017-03-29T22:32:00","slug":"more-news-from-the-internet-of-things","status":"publish","type":"post","link":"https:\/\/www.panix.com\/~msaroff\/40years\/2017\/03\/29\/more-news-from-the-internet-of-things\/","title":{"rendered":"More News from the Internet of Things"},"content":{"rendered":"<div>In another episode of how manufacturers are f%$#ing things making ordinary objects around your house internet enabled, now <a href=\"https:\/\/www.theregister.co.uk\/2017\/03\/26\/miele_joins_internetofst_hall_of_shame\/\">hackers can take over your dishwasher<\/a>:<\/div>\n<blockquote><p><span style=\"color: blue;\">Don&#8217;t say you weren&#8217;t warned: Miele went full Internet-of-Things with a network-connected dishwasher, gave it a web server, and now finds itself on the wrong end of a security bug report \u2013 and it&#8217;s accused of ignoring the warning. <\/span><br \/><span style=\"color: blue;\"><br \/><\/span><span style=\"color: blue;\">The utterly predictable <a href=\"http:\/\/seclists.org\/fulldisclosure\/2017\/Mar\/63\">vulnerability advisory<\/a> on the Full Disclosure mailing list details CVE-2017-7240 \u2013 aka &#8220;Miele Professional PG 8528 &#8211; Web Server Directory Traversal.\u201d This is the builtin web server that&#8217;s used to remotely control the glassware-cleaning machine from a browser. <\/span><br \/><span style=\"color: blue;\"><br \/><\/span><span style=\"color: blue;\">\u201cThe corresponding embedded Web server &#8216;PST10 WebServer&#8217; typically listens to port 80 and is prone to a directory traversal attack, therefore an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks,\u201d reads the notice, dated Friday.<\/span><br \/><span style=\"color: blue;\"><br \/><\/span><span style=\"color: blue;\">\u2026\u2026\u2026<\/span><br \/><span style=\"color: blue;\"><br \/><\/span><span style=\"color: blue;\">And because Miele is an appliance company and not a pure-play IT company, it doesn&#8217;t have a process for reporting or fixing security bugs. The researcher who noticed the dishwasher&#8217;s web server vuln \u2013 Jens Regel of German company Schneider-Wulf \u2013 complains that Miele never responded when he contacted the biz with his findings; he says his first contact was made in November 2016.<\/span><br \/><span style=\"color: blue;\"><br \/><\/span><span style=\"color: blue;\">Appliance makers: stop trying to connect stuff to networks, you&#8217;re no good at it.<\/span><\/p><\/blockquote>\n<p>I would also add, regulators need to police this stuff, and civil liability law needs to be rewritten to ensure that the manufacturers, and perhaps senior management are explicitly liable for this crap, including punitively harsh mandatory penalties.<\/p>\n<p>If copyright trolls can threaten 6 figure judgements against people&#8217;s kids who Bit Torrent a Nickelback song,<sup>*<\/sup> then these manufacturers need to face at least that much jeopardy.<\/p>\n<p><sup>*<\/sup><span style=\"font-size: xx-small;\">I will note, if your kids are downloading Nickelback, I do think that a visit from Child Protective Services (CPS) might be in order, because, well, it&#8217;s<b> f%$#ing Nickelback<\/b>.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In another episode of how manufacturers are f%$#ing things making ordinary objects around your house internet enabled, now hackers can take over your dishwasher: Don&#8217;t say you weren&#8217;t warned: Miele went full Internet-of-Things with a network-connected dishwasher, gave it a web server, and now finds itself on the wrong end of a security bug report &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[395,420,588,541],"class_list":["post-180506","post","type-post","status-publish","format-standard","hentry","tag-computer","tag-consumer-electronics","tag-fail","tag-security"],"_links":{"self":[{"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/posts\/180506"}],"collection":[{"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/comments?post=180506"}],"version-history":[{"count":0,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/posts\/180506\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/media?parent=180506"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/categories?post=180506"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/tags?post=180506"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}