In 2017, previous predictions from Refrigergeddon – where the Internet of Vulnerable Things starts to go malicious – may have landed on the wrong white product, with maker Miele showing how Washergeddon could start.
During the weekend, CVE-2017-7240 appeared from Jens Regel of Schneider & Wulf, who said he found a directory traversal vulnerability on a Miele Professional PG 8528 appliance.
“The corresponding embedded web server ‘PST10 WebServer’ usually listens on port 80 and is subject to a directory traversal attack, so an unauthenticated attacker may be able to exploit this issue to access sensitive information in order to help with subsequent attacks, ”Regel said.
According to Regel, he was able to request the shadow file from the on-board system – and by extension any file from the filesystem – and after contacting Miele, he had no response from them for more than three years. month.
“We are not aware of an actual fix,” Regel wrote.
On the Miele Page for the product in question, it describes how an Ethernet connection is used to retrieve text reports from the machine.
“The ethernet interface is the universal solution for data exchange,” he explains. “Compared to other interfaces, the user is offered a particularly high level of functionality.”
Each washer comes with a 5m cable to allow the device to have connectivity, with the product user manual offering these reassuring words: “Only Miele Technical Service can connect the cable to another interface” .
The IoT security situation is unlikely to improve anytime soon, with Mikko Hyppönen, director of research at F-Secure, saying last week that manufacturers will continue to install cheap hardware in their devices. devices for collecting data.
“The price of turning a stupid device into a smart device will be 10 cents,” Hyppönen said.
“It will be so cheap that the vendors will put the chip in any device, even if the benefits are very small. But those benefits will not be benefits for you, the consumer – they will be benefits for the manufacturers because they want to collect analysis. “
“The IoT devices of the future won’t be online to your advantage – you won’t even know it’s an IoT device.”
Whenever the Washergeddon cycle begins one thing is clear, it won’t be pretty.