A vulnerability has been discovered in the Miele dishwasher's web server.

Several dishwasher disinfectors Miele Professional PG 8528. Photo: Miele

The Seclists mailing list contains information about the unusual vulnerability CVE-2017-7240 . This is a vulnerability of the Directory Traversal type in the web server. It would seem that such a strange? Such vulnerabilities are very often. But here we are talking about a web server ... a dishwasher! In this case, the hole was found in an industrial dishwasher-disinfector model Miele Professional PG 8528 with built-in Ethernet, a web server and Internet access. Such disinfectants are used in hospitals, research laboratories, etc.

An internet connection is necessary for a dishwasher so that it can be controlled remotely. It is managed through an embedded web server called PST10 WebServer.

As stated in the description of the vulnerability, the embedded web server listens on port 80. Actually, a connection and an attack occurs on this port. An unauthenticated attacker has the ability to connect to a dishwasher and extract passwords from a web server, which can be useful in subsequent attacks.
')
Connect to the dishwasher via telnet as follows:

~$ telnet 192.168.0.1 80 Trying 192.168.0.1... Connected to 192.168.0.1. Escape character ist '^]'. GET /../../../../../../../../../../../../etc/shadow HTTP/1.1 

Dishwasher returns the answer:

 HTTP/1.1 200 OK Date: Wed, 16 Nov 2016 11:58:50 GMT Server: PST10 WebServer Content-Type: application/octet-stream Last-Modified: Fri, 22 Feb 2013 10:04:40 GMT Content-disposition: attachment; filename="./etc/shadow" Accept-Ranges: bytes Content-Length: 52 root:$1$$Md0i[...snip...]Z001:10933:0:99999:7::: 

As you can see from the dishwasher's response, it returns the / etc / shadow file. This is a file with shadow passwords . The root password is also recorded there.

Shadow passwords are designed to increase security on Unix systems. The point is that encrypted passwords are transferred from the standard / etc / passwd file to / etc / shadow, which is accessible only to the root. According to the password file format, a number of parameters are written in each line. This is the username (in this case, root), then the encrypted password ($ 1 $$ Md0i [... snip ...] Z001), then the last password change time (10933), the minimum number of days before the password change (0), the maximum the number of days before the password change (99999), the number of days before the first warning about changing the password (7).

Although the password is encrypted, the attacker has the ability to brute force vocabulary with some chances of success.

It is clear that the usual attacker access to a dishwasher to anything, it is just the first step towards further development of the victim's computer network, including other Internet of Things devices. The password for the dishwasher can coincide with the passwords from other services, so a large-scale scam can begin to unfold from this household appliance. In addition, an attacker can write his code for execution on a web server.

The vulnerability was discovered by German security specialist Jens Regel of the consulting company Schneider & Wulf EDV-Beratung GmbH & Co. KG. He contacted the representative of the company Miele on November 21, 2016, and later sent all the information on the bug. Then he tried to contact him twice to get some answer, but he wasn’t answered. After more than 4 months, Jens Regel posted information on the Seclists mailing list, that is, in the public domain.

Dishwashers Miele Professional PG 8528 are not designed for installation in the home, cafes, restaurants or bars. First of all, it is equipment for hospitals where it is necessary not only to wash, but also to disinfect a large number of test tubes, plates and other equipment. The vulnerability is assigned a severity rating of “medium”. In fact, a critically dangerous loss of a password from a dishwasher does not threaten. If the car was installed in a restaurant or cafe, the neighboring restaurant could deliberately run the dishwasher for the whole night in order to inflict as much economic damage to a competitor as it could, blowing up electricity and water bills. And what kind of attack can be carried out on a disinfector in the hospital? Disrupt the disinfection procedure in the hope of a viral epidemic?

As the number of Internet of Things devices grows, such vulnerabilities will be increasingly found. When home appliance manufacturers put a web server into it, they very rarely think about security issues. For them, the main thing is usability and marketing. This is how refrigerators with Internet access and toasters with WiFi appear.

In the Internet of things, the number of devices theoretically could be an order of magnitude more than in the old computer Internet. This is real freedom to create giant botnets. As we remember, the largest DDoS attack last year was organized through the Internet of Things devices - digital set-top boxes and surveillance cameras formed the Mirai botnet .

A botnet was formed using a worm. It infected vulnerable devices with default passwords. Now, dishwashers have joined the ranks of vulnerable devices. Do they also become part of future botnets?