A vulnerability has been discovered in the Miele dishwasher's web server.

Several Miele Professional PG

8528 dishwashers and disinfectors. Photo: Miele The Seclists mailing list contains information about the unusual vulnerability CVE-2017-7240 . This is a vulnerability of the Directory Traversal type in the web server. It would seem that such a strange? Such vulnerabilities are very often. But here we are talking about a web server ... a dishwasher! In this case, the hole was found in an industrial dishwasher-disinfector model Miele Professional PG 8528 with built-in Ethernet, a web server and Internet access. Such disinfectants are used in hospitals, research laboratories, etc.

An internet connection is necessary for a dishwasher so that it can be controlled remotely. It is managed via an embedded web server called PST10 WebServer.

As indicated in the description of the vulnerability, the embedded web server listens on port 80. Actually, a connection and an attack occurs on this port. An unauthenticated attacker has the ability to connect to a dishwasher and extract passwords from a web server, which can be useful in subsequent attacks.

Connect to the dishwasher via telnet as follows:

~$ telnet 192.168.0.180
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character ist '^]'.
GET /../../../../../../../../../../../../etc/shadow HTTP/1.1

Dishwasher returns the answer:

HTTP/1.1200 OK
Date: Wed, 16 Nov 201611:58:50 GMT
Server: PST10 WebServer
Content-Type: application/octet-stream
Last-Modified: Fri, 22 Feb 201310:04:40 GMT
Content-disposition: attachment; filename="./etc/shadow"
Accept-Ranges: bytes
Content-Length: 52
root:$1$$Md0i[...snip...]Z001:10933:0:99999:7:::

As you can see from the dishwasher's answer, it returns the / etc / shadow file. This is a file with shadow passwords . The root password is also recorded there.

Shadow passwords are designed to increase security on Unix systems. The point is that encrypted passwords are transferred from the standard / etc / passwd file to / etc / shadow, which is accessible only to the root. According to the password file format, a number of parameters are written in each line. This is the username (in this case root), then the encrypted password ($ 1 $$ Md0i [... snip ...] Z001), then the last password change time (10933), the minimum number of days before the password change (0), the maximum the number of days before the password was changed (99999), the number of days before the first warning about changing the password (7).

Although the password is encrypted, the attacker has the opportunity to brute force a dictionary with some chances of success.

It is clear that the usual attacker access to a dishwasher to anything, it is just the first step towards the further development of the victim's computer network, including other Internet of Things devices. The password for the dishwasher can coincide with the passwords from other services, so a large-scale scam can begin to unfold from this household appliance. In addition, an attacker can write his code for execution on a web server.

The vulnerability was discovered by the German security expert Jens Regel from the consulting company Schneider & Wulf EDV-Beratung GmbH & Co. KG. He contacted the representative of the company Miele on November 21, 2016, and later sent all the information on the bug. Then he tried to contact him twice to get some answer, but he wasn’t answered. After more than 4 months, Jens Regel posted information on the Seclists mailing list, that is, in the public domain.

Dishwashers Miele Professional PG 8528 are not designed for installation at home, cafes, restaurants or bars. First of all, it is equipment for hospitals where it is necessary not only to wash, but also to disinfect a large number of test tubes, plates and other equipment. The vulnerability is assigned a level of danger of "medium." Indeed, a critically dangerous loss of a password from a dishwasher does not threaten. If the machine was installed in a restaurant or cafe, the neighboring restaurant could deliberately run the dishwasher for the whole night in order to inflict as much economic damage on a competitor as possible by blowing up electricity and water bills. And what kind of attack can be carried out on a disinfector in the hospital? Disrupt the disinfection procedure in the hope of a viral epidemic?

As the number of Internet of Things devices grows, such vulnerabilities will be increasingly found. When home appliance manufacturers put a web server into it, they very rarely think about security issues. The main thing for them is usability and marketing. This is how refrigerators with Internet access and toasters with WiFi appear.

In the Internet of things, the number of devices theoretically could be an order of magnitude larger than in the old computer Internet. This is real freedom to create giant botnets. As we remember, the largest DDoS attack last year was organized through the Internet of Things devices - digital set-top boxes and surveillance cameras formed the Mirai botnet .

A botnet was formed using a worm. It infected vulnerable devices with default passwords. Now, dishwashers have joined the ranks of vulnerable devices. Do they also become part of future botnets?