The IoT Spin Cycle

By Adam Cecchetti

Over the weekend, this finding on the Miele Professional PG 8528 was published:

 "An issue was discovered on Miele Professional PG 8528 PST10 devices. The corresponding embedded webserver "PST10 WebServer" typically listens to port 80 and is prone to a directory traversal attack; therefore, an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks. A Proof of Concept is GET /../../../../../../../../../../../../etc/shadow HTTP/1.1."

For the uninitiated, an attacker over the network or Internet can use a web browser to download the file that stored the dishwasher’s passwords. Tools to then crack the passwords are freely available. Following that, in theory the attacker can then login to the dishwasher and cause it to do their nefariously sudsy bidding.

Having operated a dishwasher professionally in a former life, I can personally tell you we would occasionally troll each other by altering the hot water setting at closing or during shift change, thereby torturing the openers with a higher need for vigilance. This of course begs two following questions:

Q: Why is the dishwasher on the Internet?

A: because the dishwasher is now a computer, and it costs very little to put computers on the Internet.

Q: Why is the dishwasher a computer?

A: Because the dishwasher was always a computer.

Even the ancient constantly-breaking-down model I operated in the mid-90s (mostly by hitting with a large metal ladle because it was always getting too hot) was in fact a computer. It had a tiny 4-bit microcontroller that set the duration for a wash cycle and the water temperature. Had Wifi been available I’m sure someone on the grill line would have found a way to remotely change the temperature mid-shift. 

The CVE listed above was very common in 2000s-era applications as we didn’t fully understand needing to isolate application processing space from system resources. Back then, CodeRed[1] and Slammer[2] were the result of putting computers onto the Internet too fast. We were also only dealing with mostly curious year-2000-level hackers.

They've had 17 years to get better. Meanwhile, many device manufacturers have not spent the last 17 years creating fast patching systems and implementing the Secure Development Lifecycle. Rightly so, they've focused making a better dishwasher.  

Most things around you are computers. Your microwave, dishwasher, blender, TV, electric toothbrush: all computers. Once it was free to put all these devices on the Internet, the next logical leap was to put them on the Internet. As a result we are spinning around both surprised that 2000s era computers keep showing up, but more importantly trying to defend 2000s era computer from a 2017 level Internet. To keep moving forward at closing the gap between our personal lives and the Internet ,we're going to have to keep testing things as if they are about to face the hackers of their era and not from two decades past.