The Internet of Things has consistently been plagued with security concerns, although criticism has mainly been targeted at small brands focused on residential products. That’s because those smaller firms tend to not have the expertise or the resources to efficiently protect their devices. The latest IoT security flaw is one that isn’t plaguing some unknown Chinese manufacturer, in fact, the bug is affecting one of the best known German appliance manufacturers, Miele.
Miele’s internet-connected dishwasher is at the centre of the latest IoT security controversy, after a bug report at Full Disclosure noted that: “The corresponding embedded Web server ‘PST10 WebServer’ typically listens to port 80 and is prone to a directory traversal attack, therefore an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks.”
What this latest bug means is that anyone connected to the network can easily access directories other than those needed by the web server. The attackers will also be able to insert their own code and tell the web server to execute it, meaning it’s entirely possible that one of Miele’s connected dishwashers could go rogue.
Currently the recommendation is to simply disconnect the dishwasher from the internet, although that’s unlikely to be good news for those who bought the Miele Professional PG 8528 dishwasher. Thankfully, the internet connection is not required for the device to function – with it simply using the Ethernet connection for diagnosis and maintenance functionality.
The Miele Professional PG 8528 is washer-disinfector designed for use in hospitals and laboratories, so security is likely to be an important factor for those institutions. This flaw could be embarrassing for the German appliance manufacturer.
Jens Regel, the researcher who found the bug, noted that he first reported the flaw to Miele in November 2016. He says the company never responded to his concern.