Miele's networked disinfecting hospital dishwasher has a gaping security flaw


#1

Originally published at: http://boingboing.net/2017/03/27/the-brave-little-dishwasher.html


Anyone interested in a job? Miele is hiring ; )
#2

Another day, another step closer to Skynet. Thank goodness for security holes.


#3

Looks expensive. So much so that I’m torn between assuming ‘eh, Linux 2.6, Apache version older than most pantheons’ and ‘Win2k server embedded, IIS build that served in the trilobite wars’.


#4

I think there is a killing to be made selling per-device network firewalls that only proxy legit network traffic. Basically a black box that does all the validation and error-checking that the original manufacturer neglected to implement.


#5

Unless you are using unmanaged switches or something, you shouldn’t need additional gear to isolate devices and force traffic to/from them through your choice of firewall, proxy, IDS, etc.

Tricky bit is knowing what ‘legitimate’ looks like; and what sources and destinations produce it. Selling little plastic boxes would probably be a thankless task; but selling subscriptions to rulesets that cover the zillion and one devices out there is definitely a business(edit: normally said subscriptions are attached to one, or a redundant group, of more powerful appliances at the edge of the network; and people often just go with the ‘scary internet out there, firewall, warm fuzzy intranet’ design; but you can run internal traffic through as well, if you put in the extra effort.)

Users whine, a lot, when the firewall breaks their stuff; even when you explain that it’s all in the name of security.


#6

Users whine, a lot,

That’s because security clowns think they are the be all and end all. No, the people who make shit, and do shit, and sell shit are the business. You’re just a fucking enabler for the business. That’s it. If all you can do is disable the business in pursuit of mythical “security”, you may as well fuck off.

Stop playing the victim card, and do your job.


#7

Pity. It looks my sarcasm calibration is off, again. I just can’t keep it in the ‘evident; but not brutally ham-fisted’ range.

I was hoping that invoking the trilobite wars would do it.


#8

Sorry. I might be a little sensitive to too many security dicks turning up to meetings obviously unprepared, then arrogantly rolling out the “no” with the only apparent rationale being that they can’t be bothered thinking about the problem …


#9

“If you wash dishes, you’ll always have a job”, Said Mom.


#10

Followup:

“If you wash dishes and have a security clearance, you’ll always have a job.”


#11

I can definitely appreciate the sentiment. I have to fight it endlessly as well. But when you tell the IT people to f— off, and then, say, your payment system leaks customer credit card info into the wild, then it might be a different story.

Best case, you take the PR hit and pay for some credit score reporting. (Thought it reportedly cost Target over $150 million.) Worst case, you might actually have some liability if you’re on record telling your IT department to forget about it.


#12


#13

Yeah, in a well-managed network with lots of resources that would be the case. But there are a lot of sites that don’t live up to those standards. For them, an inline “digital condom” that they can use to put out a fire would be a high-margin product because putting out fires is always the most expensive route. Might even be able to sell it to the manufacturer who then distributes it to all of their users as a way to avoid developing in-house security expertise.

A smart business would offer both individual condoms and centralized device filtering. Maybe even a third option for residential users - route all of their IoT traffic to a big firewall-in-the-cloud via vpn.


#14

I can actually relate a story that is kind of ironic to the BB post, but I won’t call out names as that might not be appropriate.
But let’s just say that sometimes business unit VP’s get their way when IT says "hey, you need to move your (customer facing) web app off Windows 2003 servers (in the DMZ) because of xyz security holes. Then one of those holes are exploited and everyone spends a weekend moving said web app off said 2003 servers and the exploit becomes public knowledge.
The whole thing could have happened with regular work and a regular change control, but instead everyone had endure (another) Chinese fire drill.


#15

What do you mean it doesn’t have a bug cleaning setting?


#16

I’m not up to date with all these fancy connected thingies and how they are supposed to work, but the things I hear about them gives me the impression that they have operating systems installed. If so, I can’t help finding it ridiculous. I guess it’s for cutting corners in development, but… Nope, can’t find a justification for it.


#17

Hopefully no one uses that hacker tool Google to look for strings used on the dishwasher pages, like people have done for network printers and other boxes.


#18

What’s weird is that on most “normal” networks, someone would have had to do some extra work to expose this to the public network. Give it a static internal IP, set up a route between a public IP and the internal IP, and pass http traffic from the public IP to the device. Just plugging it in to the network isn’t (usually) enough to allow connections from the Internet. Exceptions made for particularly shitty devices that automatically register with a “cloud portal” or use UPnP (along with a consumer-grade firewall) to open up the ports and routes.

On a hospital network that is presumably managed, someone made the decision that this thing needed to be accessible from anywhere in the world.


#19

Near as I can figure out, this particular Miele is designed to sterilize medical equipment. Every time the dishwasher is used, a report is generated that allows the hospital to trace a particular scalpel to a particular set of sterilization parameters. If something goes wrong the hospital has a record, and knows to recall every item in that load.


#20

Yeah, but it’s not a general purpose computer. Not even a multi-purpose one. So I’m perplexed at the idea that it may have an operating system installed.