Smart dishwasher found connected to unsecured web server for months

A smart dishwasher has reportedly been found connected to an unsecured web server, giving experts further arsenal to warn about the dangers of IoT devices. A bug report by a security expert alleges that Miele, the manufacturer of the smart dishwasher, ignored the security issue despite having been notified of it, indicating that the smart device may have been left exposed to an unsecured server for months.

According to Jens Regel of Schneider & Wulf, Mieles Professional PG 8528 PST10 devices were found to be prone to a directory traversal attack; therefore, an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks.

According to Regel, he was able to get his hands on the embedded systems shadow file, which in turn provided him access to all files in the system. We are not aware of an actual fix, Regel said.

According to Mieles product description page, the ethernet connection is used to extract text reports from the dishwasher. The ethernet interface is the universal solution for data exchange, the description states. In comparison with other interfaces the user is offered a particularly high level of functionality.

However, security experts have reportedly bemoaned such situations, warning about the potential dangers such security flaws could pose, and the IoT security situation is unlikely to get any better any time soon.

The price of turning a dumb device into a smart device will be about 10 cents. It is going to be so cheap that vendors will put the chip in anything electronic they produce, even if the benefits are only very small.

But those benefits will not be benefits to you, the consumer – they will be benefits for the manufacturers because they want to collect analytics, and you will probably not even know that it is an IoT device.