Miele's networked disinfecting hospital dishwasher has a gaping security flaw

yes but. the manual says the ethernet connection must installed (and used?) only by a Miele technician, the customer interface is only via a serial bus (quite common in the healthcare sector).

no excuse for a totally b0rken httpd, though


Don’t mention the war.

1 Like

Somewhere I still have a ROM for a tiny embedded OS I produced to run on an in-house SBC using a CMOS 8088 back in the day. Because as soon as you want to be able to keep track of time, input and output to some serial connection, read asynchronous A/Ds, check switches, read a keypad and drive an LCD, even a 40-character single line, you need some sort of OS or you will be in a whole world of pain with an assembler hairball that is utterly unmaintainable.

What has, I think, gone wrong is that it is now so easy and cheap to use a full desktop OS as an embedded OS that people have stopped thinking. It’s just so easy to let someone else control the Ethernet and supply the web server. When I had to do an embedded design which had to do some real computing a few years back, I used ejabberd for the messaging and Tomcat for the web server and spent days removing every single thing that wasn’t needed. Someone can’t create an in-band connection to your ejabberd if the entire module is missing, even if you screw up the configuration. If your Tomcat is rebuilt with entire classes missing, certain attacks become impossible. But what I’m seeing is that people just don’t seem to do this any more. It’s free, might want it one day, why not keep it? Apache is so standard. PHP is so easy to use…and here’s the house with all the windows open and no locks.


Apparently the manufacturer of this “dishwasher” used your strategy; doesn’t seem to be working well…


Yeah, I think that’s the core of the problem. It seems that a culture of handling trade-offs has been largely lost now that hardware is no longer a limiting factor (in most cases anyway).

Bundling into an stand-alone application the functionalities usually delegated to the OS or third-party software is probably overkill for many products (and requires know-how that is not exceedingly common), but I think it should be the way to go for the Internet of Things, among others (voting machines, too, if they weren’t a bad idea no matter what).


Bah. I work for a hospital system in IT. We have embedded Windows 2000 and XP in some devices like sterilizers and drug and inventory dispensers. They’re mostly VLANed and protected from the outside world, but still… WTF?

Even better are the gamma knives running its control software on Windows XP (at latest). We can’t even do AV updates on or scan it because if it causes a pause somewhere along the line then somebody gets hurt.

The problem is that vendors don’t update their stuff and the systems people don’t procure this stuff, the clinical technology people do. They execute a contract and have devices in place, and there’s certainly no money to replace them. All we can do is mitigate.


Security is important.

Arrogant, obstructive, self-absorbed security dicks are not.


I was shopping for dishwashers a couple years ago, and the cheapest bog-standard home-use-only Miele dishwashers are already seriously expensive. I can’t even imagine what a unit like this would go for.

There’s one on sale at dot med.

Brand new never installed Miele PG 8582 washer disinfector. This unit will come with the A-202 load carrier, A-103 upper basket, E-142 mesh tray, inserts for instruments, drainage water cool down kit and more. Freight shipping available from our location to yours. Professional installation also available from us at your facility. (restrictions apply). Grab this unit at a significant savings off MSRP.

They’re asking $9,995.

1 Like

They might be using busybox.

1 Like

I was describing the mindset of the careless programmer.

On the other hand, the people complaining about security dicks saying “no” are all too often the same people who use “password1” as their password or cheerfully open .doc.exe attachments. :scream:

1 Like

You’re right, there is a communication problem around security generally, and computer security in particular.

The problem is that security dicks are fucking terrible at communicating.


Yup. Part of the problem is that few people seem to be interested in how computers and networks work, beyond “getting on Facebook” or “opening a Word document.” Their eyes glaze over when you explain to them that email is NOT in any way, shape, or form a trustworthy communications medium, or that the “message about their email account” is really a phishing scam.

Also, It’s hard to balance “I need to do X because of Y” with “You can’t do X because of Z” where Y is a Good Thing and Z is a Bad Thing.

1 Like

You’re blaming the users yet again. I recommend you stop doing that.

Uh, no. I’m not just blaming the users. There’s plenty of blame to go around, especially (as I mentioned above) that email is not secure - not to mention the miscreants who ruin things for all of us. In a perfect world, it wouldn’t be necessary to lock down corporate desktops. Unfortunately, we don’t live in a perfect world, not by far. Cleaning up infected PCs is not fun, and don’t get me started about the Internet of Shit.


Miele are famous for things like keeping just about all parts in stock forever. I am about to have to get rid of a 7 year old dishwasher because the door handle is broken (!) and the wheels on the lower tray are coming off, and neither part is available any more. Miele next time, just like the last freezer I bought.

1 Like

Cars were like that in the early days; people didn’t know how they worked and didn’t want to till they ended up in a ditch, or dead in the wreckage. So driving tests were introduced, and “network safety systems” like traffic lights were brought in.

If someone goes through a red light, it’s their fault. Consequences may be injury, fines, increased insurance rates, even loss of driving licence. But when business computer users do the equivalent, they tend to get off free. I agree with your balanced view; the users are at least partly to blame, though managements share responsibility. If the IT people in your company are restrictive anal retentives, consider whether it’s because you have particularly negligent users or management.


The software is the least of its problems, it seems to me.

External casing in 1.4301 grade stainless steel, grain brushed to 220 grade.

So, it’s a machine designed to kill dangerous human pathogens, but the entire outer shell is made of a material that is optimally suited to growing and spreading them.

This is typical of hospitals in the USA - there’s a love affair with stainless steel, a valuing of the false appearance of cleanliness over actual hygiene. Meanwhile hospital infections kill more people each year than AIDS and breast cancer combined.

Stainless is appropriate to the internal disinfection chamber itself. No other part of the machine should be made of stainless if it’s to be used in a hospital environment! Hospitals aren’t supposed to infect and kill people out of stylishness, but it’s almost certainly going on in the US hospital nearest you.

1 Like

I freely admit when I first read your comment I thought it was totally plausible that there was some software category called a “pantheon” (seems no stranger than Oracle, Hyperion, Hydra, etc.) and some event in the history of computing called the “trilobite wars.” It seemed off enough that I googled both, found nothing, and assumed it was a joke, though.