2017: The Year of the Dishwasher Security Patch

As if Windows Update wasn’t bad enough, one has to deal with a plethora of attention-hungry programs and utilities all begging for a continual stream of patches from the Internet. It’s exhausting, but unfortunately also par for the course. Many of these updates are to close security vulnerabilities that could otherwise expose your computer to undesirables. The Internet of Things will only expand the amount of hardware and software you need to keep updated and protected on a daily basis. Now, it’s your dishwasher that’s under attack.

The Register reports that Jens Regel discovered the bug in a Miele dishwasher with a webserver. It’s a basic directory traversal attack that can net the intruder the shadow password file. Armed with this, it’s simple to take over the embedded Linux system and wreak havoc on your local network.

It’s not particularly surprising – we’ve talked about IoT security and its pitfalls before. The problem is, a dishwasher is not a computer. Unlike Microsoft, or Google, or even the people behind VLC, Miele don’t have infrastructure in place to push out an update to dishwashers worldwide. This means that as it stands, your only real solutions are to either disconnect the dishwasher from your network, or lock it behind a highly restrictive firewall. Both are likely to impede functionality. Of course, as always, many will ask why a dishwasher needs to be connected to the Internet at all. Why indeed.

109 thoughts on “2017: The Year of the Dishwasher Security Patch

  1. >why a dishwasher needs to be connected to the Internet at all
    The most straightforward answer I can come up with: A (I think) useful ‘smart’ dishwasher feature would be to monitor what you wash (perhaps by simply weighting the racks when a run begins) and measure what washes out (perhaps by filtering and checking the waste water somehow) then using this rough measurement to determine the overall efficiency and detect usage patterns over time then suggest ways to improve your dishes outcomes. For example: warning when you are over/under filling.

    Once you have a dishwasher doing all this, it really doesn’t seem like too much of a stretch to have it host a webserver where you can easily access this information.

    1. And the efficiency of our dishwasher usage is of the highest priority to so many of us! Because all of the other sh*t we deal with on a daily basis pales in comparison. IoT is for people who have nothing better to do with their lives than worry about what the things they own are doing, because they themselves are doing nothing. /rant

      1. Actually appliance efficiency should be a high priority. A old dishwasher used 40 liters of water and a 2000 watt heater compared to a new that used 7-8 liters and a much more efficient heater. The impact is massive when you consider that _every_ damn house have one of this devices.

          1. What did you do murdock use an LED bulb in the kids old easybake oven?

            (Spoiler, old ones used regular incandescent bulbs which were ~99% efficient heaters.)

        1. Although that actually pisses me off about “energy efficient” heating devices, no a 1000W heater is not more efficient than a 2000W. The 2000W takes x time to heat, the 1000W takes 2x+n time to heat where n is the extra run time required to overcome heat losses to environment during the extra time it took to heat.

          Plus something like an oven, oldschool full power one, I’ll hang out in the kitchen a few minutes until it’s up to temp and stick my food in… newchool “efficient” one, I’ll turn it on, wait, go away and do something, come back 15mins later, fucker still not there, wander off again, forget about it, go back another 45 mins later when I get a stomach growl, because it expected to be eating half an hour ago, discover yes it is up to temp now and probably has been for half an hour, put the food in, check time, go back precisely 25 mins later, like the package/recipe says, check food, not quite done, opening oven to put food in dumped temp enough that the damn thing took another 10 mins to get back to cooking temp…. so allow another 5 mins, plus another 10 mins because I opened the oven again…. 15 mins later, finally! 2 hours after I started I have my freaking food.

        1. Yeah, “if”.

          The Internet, networking, and any sort of computer with more than 8 bits, all come with a load of problems, imperfections, and complications. Nobody uses the Internet with zero problems. We all just manage with 90-something percent. That’s fine when it’s just web pages that you can reload or come back later to. But when it’s something you want to be completely reliable, or at least not suffer crashes and Russian hackers, FFS keep it away from the Internet.

          If I were faced with 2 identical dishwashers, but one of them had an Internet connection, I’d be willing to pay more for the one that didn’t. The lack of things to go wrong would outweigh the many, many, many advantages of having an IP-accessible dishwasher.

          1. My dishwasher connects to the internet when she time to get on the pc.
            Too damn bad I can’t update her software with a new sexbot version.

        2. That’s not enough. It has to create a real advantage to be acceptable. IoT per se is not a feature or benefit, it’s a threat. So it has to offer very real additional value in exchange.

      2. Intelligent dishwasher dispatch is worth real money under Time of Use rates or aggregated in a Distributed Energy Resource marketplace. Regulators who’ve been wringing their hands over net metering “subsidies” should be terribly distressed when they discover people capable of responding to realtime utility rates are subsidizing others who exploit flat rate design by consuming at peak times.

        1. I am not interesting in gambling for my energy like a stock exchange trader. I want to be able to flick the switch, if I need the power. Just like it is now. I am not interested in any “Smarts” (= surveillance and additional hastle) in my electric meter.

        2. Betcha the price triples for everyone if that gets implemented. In the utilities field, it seems like bulk costs tend toward most efficient, and when you try to scale back, the fixed costs eat you alive and price per unit is forced higher.

          With intro of metered water here, the promise was lower bills for lower consumers, that lasted a year, now even seniors are paying about 150% of the old flat fee model they helped campaign against as “unfair to people who don’t use a lot, like us seniors.”

          1. That’s because seniors spend so much time caring for their lawns, they didn’t realize how much water they’ve been using. Now that they realize it, they might be even more forceful with their “GET OFF MY LAWN!”
            B^)

      1. Biomed
        I learned yesterday from the appliance repair guy that not only will machines corrode due to damp but also due to the Chlorine in the water.
        He was here for my hot water heater. It has a small connector for the gas feed. The connector is $1000, luckily I paid for the extended warranty.
        I also expect the electrics to corrode at some point as it is in the basement.
        He also said NEVER report a problem as either rust or corrosion. Those are NOT covered under the warranty.

    2. Now, I may be talking crazy in this whole IOT world…
      But why can the appliance not host its own webpage, locally, and not need the internet?
      Like every router for the past decade?

      It doesn’t need to handle the load of thousands of users so the embedded server has no technical limitaiton, and if I wanted emails from my dishwasher, then why couldn’t I be expected to learn enough to enter the imap settings for my gmail into my dishwasher configuration page? I hear that can even be found with a google search nowadays…

      In my opinion, the rush to the cloud is mostly for marketing at this point, and those people pushing it without a single logical reason need to be lined up and kicked into a pit.

      1. I think people are missing the point of “why the cloud”. It’s not for the consumer, it’s for the vendor. Just like the search engines and free email providers, the “service” is provided to gather information on the users and then use that information for business purposes.

          1. By definition 50% of people are below average intelligence. Ergo any dumb shit has worldwide potential sales of 3.5 Billion.

            They like to say in the ad industry, that they know 50% of advertising works, they just don’t know which half, well no great mystery as far as I’m concerned.

            *Jingle* SparklyCrap, SparklyCrap, dramatically new SparklyCrap, elevate your experience with cloud enabled nanotech SparklyCrap …..

            Sub100IQDude: Oooh, shiny! Dramatically new, and it’s got buzzwords, it’ll make me seem smart.
            Over100IQChick: *facepalm*

        1. That information can be gathered without two way communication.
          If the vendor wants info, simply have the connected dishwasher send an email or post to a server.
          There is simply no logical/reasonable reason why the … your dishwasher needs to be remotely accessible.

          Everything can be hosted locally.

          I would NEVER open my Octoprint server to the outside world. Some idiot logs in, gets access to the webcam and has the ability to kill my hotend + possibly burn down my house.

    3. I have asked the sae question for a connected oven.
      the owner was blind, and use his mobile to do everythings. so having connected item is a great help to know when thinks are finish.

    4. What about using our photoreceptive orbs and organic carbon-based logic system to determine if the dishwasher is loaded properly, like we’ve always done? That doesn’t rely on an Internet connection, doesn’t pass data to a third party, and only gets a virus if what goes on the dishes is mishandled or undercooked.

      1. Yeah, those work pretty good. And you can go a step further by using them to measure how dirty the dishes are when you put them in as well as how clean they are when you take them out. Put those measurements in a spreadsheet and you can track how efficiently you are using your machine over time and spot patterns in order to improve your overall outcome.

        Then why not automate that and have the machine track those measurements itself and display the resultant patterns and recommendations to you through a web page?

        1. Or just put the dishes in when they’re dirty and run the machine when it’s full.

          How much effort do you have to put into data tracking for it to pay off in efficiency savings? I can see that paying off for a large restaurant chain but at the scale of a single household it’s more a case of “because I can”.

          But what do I know? I still wash my dishes in the sink with a washcloth like a barbarian.

      1. Well it’s probably more efficient to run it every x days partially filled than have to run it twice when you finally fill it, because everything dried on super hard, or to get the stank out from the mildewy water that stagnated in the bottom.

    5. https://en.wikipedia.org/wiki/Dear_Dave
      The episode begins with Kryten querying as to why Lister is so depressed, but he keeps accidentally rubbing in the fact that Lister is the sole human being left alive.[1] While Kryten reassures Lister that he could some day find another species to love, Rimmer suggests that Lister wouldn’t know how to charm a woman even if there was one aboard.[1] Lister though finds that he has two rival talking dispensing machines – Snack Dispensers 23 and 34 – vying for his affections.[2] Meanwhile, the ship’s on-board computer has accused Rimmer of neglecting his duties (having not reported for work in over 3 million years) and thus threatens him with demotion, a fact that would relegate him to being on a par with Lister.[1]

      A post pod arrives, a fact communicated to the crew by the Cat through the medium of charades.[1] Lister gets a letter from an old girlfriend telling him she’s pregnant and the baby might be his, setting off a hunt through the mountain of letters from the mail pod to discover if Lister might have unknowingly started a family back on Earth. Rimmer donates to the ship’s medical service to deter the decision to demote him (getting the money courtesy of the savings made by removing toilet paper from all but a handful of the toilets on the ship), but this fails. Rimmer then tries to find an excuse to have Lister declared insane so it could be argued that the reason he neglected his duties was due to caring for Lister.

      Lister makes up with Snack Dispenser 23 by dragging her down a hallway so she can fulfill her lifelong dream of seeing around the corner. They accidentally fall over into a sexually suggestive position, delighting Kryten (who thinks Lister has truly fallen in love) and Rimmer (who can use the incident to prove Lister’s insanity). Before Rimmer can write a report, however, Cat (who is desperately looking for some toilet paper) snatches the sheets.

      Lister finally finds the letter from his old girlfriend and reassures the others he has made peace with the chance that he had descendants – even though he never knew them, he can take pride in the possibility that a relative of his could have achieved something great. Judging from his reaction upon opening the letter though, it seems the baby wasn’t his.

      Another

  2. Most likely the functionality is to do with starting and stopping the device from an iPad or smart phone, kind of like a remote control. Appliance producers try to be the first to a niche whether it is good or bad. A few years back, the hype was putting a lcd tv on all kind of products. Now the hype is IOT. Customers like the new shiny stuff. But the reality is that there is very little usefulness at the moment.

    1. Once in a while, you visit a home that has a whole-home intercom system or central vacuum system and they look so quaint and dated. IoT is the contemporary version of this. Of course, the vacuum and intercom weren’t poorly secured vectors for infiltration.

    2. Except you have to be in front of a dishwasher to load and unload it. And you can tell when it’s stopped because the noise stops. Or you can just wait however long it takes to do a wash, which you’d get to know pretty quickly when you own it.

      Why would you need to start it, except when you’ve loaded it, and why would you need to stop it before it’s finished? It’s a remote control for somethingd you almost never do.

      I think as much as anything, this is just a result of Wifi chips getting so cheap. Most household products have a CPU anyway. A dishwasher may as well have one, it’s cheaper than a mechanical timer / controller. So while you’re there, choose a chip that has Wifi, or add one on. And maybe a few customers will be impressed by that, for some reason, and buy it.

      I dunno *why* they’d be impressed, but the history of marketing teaches some very disappointing lessons about human rationality.

  3. My Miele fridge and freezer have this same board in them. They send out an email when the door has been open more than 15 minutes. That is actually useful since the kids have left the doors open more than once. They also send out email if they are unable to cool properly. Our freezer started sending out an email warning us before it failed a day later. They replaced it on warranty and we saved the food by moving it.

    I have talked to the engineers and requested that they add power monitoring in order to track how much energy is being used. They have not added it yet since it would trigger a redo of their UL-type approvals.

    1. So…. the feature potentially of interest to you they refused to include, but they did they manage a feature to get everyone to monitor their email 4 times an hour for instant updates.

      This is all purely fiction folks:

      TOS have been used to push us around pretty good these last few years. Can always hope that marketing does not get the idea that the emails include an ad to which the fridge insists you must reply in 24 hours or it will cease to function. Worse…. The Can Opener emails you; “It’s that time again, insert bitcoin now.” It’s that or the P-38 you hid. We already have DRM coffee singles and printer cartridges demonstrating the concept admirably.

      Well, thankfully refrigerators are one of, if not the most, reliable device in the home. This will allow some to stave it off a few years longer.

      Think not possible? They do not have to sell the machine to you at all… just deliver it. Debit to your card to run a load of laundry. Television time enabled in 4 hour blocks for a fee. Those cards ARE handy! If you don’t own it you can’t hack it.

      What John Deere is doing is just the start.

      Blade Runner comes to mind…. even the snakes had a serial number on each and every scale.

      Oh, no, I’m not trying to scare ppl. No point trying.

      Onstar; “Your card has been declined. You have 5 minutes to pull over. An operator will be with you shortly to make other arrangements”.

      All Pure Science Fiction! Ignore that man behind the curtain!

      1. “One of these days,” Joe said wrathfully, “people like me will rise up and overthrow you, and the end of tyranny by the homeostatic machine will have arrived. The day of human values and compassion and simple warmth will return, and when that happens someone like myself who has gone through an ordeal and who genuinely needs hot coffee to pick him up and keep him functioning when he has to function will get the hot coffee whether he happens to have a postcred readily available or not.”
        ― Philip K. Dick, Ubik
        “The door refused to open. It said, “Five cents, please.”
        He searched his pockets. No more coins; nothing. “I’ll pay you tomorrow,” he told the door. Again he tried the knob. Again it remained locked tight. “What I pay you,” he informed it, “is in the nature of a gratuity; I don’t have to pay you.”
        “I think otherwise,” the door said. “Look in the purchase contract you signed when you bought this conapt.”
        In his desk drawer he found the contract; since signing it he had found it necessary to refer to the document many times. Sure enough; payment to his door for opening and shutting constituted a mandatory fee. Not a tip.
        “You discover I’m right,” the door said. It sounded smug.
        From the drawer beside the sink Joe Chip got a stainless steel knife; with it he began systematically to unscrew the bolt assembly of his apt’s money-gulping door.
        “I’ll sue you,” the door said as the first screw fell out.
        Joe Chip said, “I’ve never been sued by a door. But I guess I can live through it.”
        ― Philip K. Dick, Ubik

        1. “Charlie handed in his dime at the Kendall Square Station and he changed for Jamaica Plain.
          When he got there the conductor told him, ‘One more nickel.’
          Charlie couldn’t get off of that train.”

          ― The Kingston Trio

        1. Don’t be so old fashioned. There’s an App-enabled smart device you can buy to do all your thinking for you. All your thoughts are conveniently stored in the cloud where they’re accessible at any time! The company that supports it has plenty of venture capital and IPO money to burn through before you have to worry about it not working anymore.

    2. Sending an email does not require it to be open to the web.
      A fridge/freezer holds valuable, spoilable food items.
      A dishwasher holds dirty dishes; who cares if the door is open?

  4. One purpose with these boards is to collect performance and reliability data from the devices and report it back to HQ. Like how many times you use the dishwasher per week and at what cycle. That lets them figure out what to build next time. No point in including features no one uses. They also send back maintenance data gathered by on-board diagnostics.

    These appliances also have a neat maintenance system. When the repairman wants diagnostic data there is a spot on the front that you can’t see but it is IR transparent. Their laptops have a little dongle that can they remote control the unit via a UI which lets you trigger each step of an operation individually. The IR lets them avoid jacks that could get dirty.

      1. Since it also has to tweet at you when it refuses to run because it thinks you forgot to add detergent, except you did add one of those disposable packets and the sensor didn’t notice.

    1. instead of this IoT appliances gimmick they should improve the quality so that appliances last more than a few years.
      What they will use this information for? To improve the programmed obsolescence?

      1. Put together a smart presentation, hook up with manufacturers/suppliers, get some investment money, then start rolling those 100-year washing machines off the line.

        I’m sure the big companies making appliances are just misunderstanding the market and you are the visionary.

      2. Miele has a pretty good reputation for quality though. They cost a bloody fortune, so you’d hope so. Looks like they only have a 2 year warranty though, which is a bit disappointing.

      3. jacques1956
        I just learned from a repair guy that Chlorine in water will cause corrosion.

        https://en.wikipedia.org/wiki/Planned_obsolescence
        Contrived durability

        Contrived durability is a strategy of shortening the product lifetime before it is released onto the market, by designing it to deteriorate quickly.[3] The design of all consumer products includes an expected average lifetime permeating all stages of development. Thus, it must be decided early in the design of a complex product how long it is designed to last so that each component can be made to those specifications. Since all matter is subject to entropy, it is impossible for any designed object to retain its full function forever; all products will ultimately break down, no matter what steps are taken. While it is known that products are optimized to match their required lifespan, such designs are often chosen for cost or weight saving reasons. Limited lifespan is only a sign of planned obsolescence if the lifespan of the product is rendered artificially short by design.

        The strategy of contrived durability is generally not prohibited by law, and manufacturers are free to set the durability level of their products.[3]

        A possible method of limiting a product’s durability is to use inferior materials in critical areas, or suboptimal component layouts which cause excessive wear. Using soft metal in screws and cheap plastic instead of metal in stress-bearing components will increase the speed at which a product will become inoperable through normal usage and render it prone to breakage from even minor forms of abnormal usage. For example, small, brittle plastic gears in toys are extremely prone to damage if the toy is played with roughly, which can easily destroy key functions of the toy and force the purchase of a replacement.

        An early example of contrived durability arose out of a 1924 meeting of representatives from the world’s largest light bulb manufacturers, Philips, Osram, General Electric and others. They met in Switzerland to form “Phoebus”, a lighting cartel. Light bulb lifespans had by 1924 increased to the point of crimping sales. The companies thus jointly agreed to reduce light bulb life to a 1,000-hour standard. Phoebus members marketed the shorter design life as an effort to produce brighter and more energy-efficient bulbs. Markus Krajewski, a media-studies professor at the University of Basel says that the only significant technical innovation in the new bulbs was a steep drop in operating life. “It was the explicit aim of the cartel to reduce the life span of the lamps in order to increase sales,” he said.[10]

        1. Corrosion caused by chlorine in the water is not a problem of planned obsolescence, rather of poor resource management.
          We humans DO need some quality standards in our drinking water, so it’s fine to use a complex and expensive treatment to purify it. Adding chlorine makes that treatment cheaper and more reliable.

          But we don’t drink all the water that goes trough our pipes. We just need couple of litres a day, maybe another one for cooking. We use almost all the water for washing (clothes, dishes, ourselves…) and tending the garden. And for those tasks we don’t need such expensively treated water, it doesn’t need to be rated for human consumption, and no chlorine either.
          Now, the (sadly still rare) solution for that would be to add a second water circuit on newly built homes. Drinking water pipe goes to the kitchen sink, and everywhere else goes some cheaply treated, mudless and not-too-smelly water that still accomplishes its function.
          And yeah, expensive to implement, but we’re literally flushing drinking water.

    2. Dishwasher phone home? Showing detailed error codes to the tech fixing the thing is good and smart, but I’m not comfortable with this new fascination with telemetry for “improving the customer experience”.

  5. So how do you ensure that a given chunk of data is a legitimate upgrade and not an already compromised machine downloading the tools it needs to own your LAN? It is a firewall administrators nightmare, having to constantly verify sites to ensure that they have the right rules for who knows how many IoT device types.

    The entire IoT concept is broken, as broken as M$ Windows was when they started out with a security model that was the inverse of the Unix “everything locked down unless explicitly opened up” way of doing things. Except these are often little Unix/Linux systems and the flawed security model is now at a higher level of abstraction, but it is still the same basic mistake. The fools have M$ed up your home.

    1. I’ve heard of RIOT (I’m not sure if it had anything to do with IOT) but does the R stand for Reliable… or is the whole name a hint to what might happen if this carries on too long…

  6. Its not a dushwasher the Miele PG 8528, is a washer-disinfector acc.funerability no CVE-2017-7240. It’s for medical purposes for which logging etc. Is an feature or even required to read and log certain data. In my opinion some nuance should be added in this article, instead of copy paste…..

    1. Ah OK. Which makes this article a completely different story. Do some basic research, Lewin! Here we are rambling on about domestic dishwashers, and this is some bit of expensive medical equipment.

  7. My sister recently bought a new dishwasher. And even though it is an inexpensive model, it has a lot of buttons and lights and options. A bit confusing and not user friendly. A web interface on your PC/smartphone, IF done PROPERLY, COULD make it easier to operate effectively and efficiently. Also, depending on options selected, it takes quite a while to run. A web interface could give you an estimated run time based on options before starting, and a progress indicator while running. And it would be invaluable for diagnostics (a mouse chewed thru a control wire not long after she got it).
    But instead of a web interface, how about just a nice color LCD display. Network connectivity is not really needed. Probably cheaper. Not quite as intimidating to technophobes. And NOT a security risk.

    1. I am not technophobe and don’t find the web interface intimidating (although I can imagine, it is for many people). I find it just useless. Why should I use my phone (switch on the screen, open the correct app, select the functions) when I can just press a button on the front panel of the device?

  8. I’ve maintained a lot of sterilizers, autoclaves, and washers for lab and hosp. The term “dishwasher” took most of us, including myself, straight to the home kitchen as dishwasher was repeatedly and prominently displayed, and even highlighted twice within the lead page, and IoT was as well. For the medical or laboratory environment a network connection to the outside manufacturer is often quite appropriate, however I would not characterize this as IoT by any means at all as it requires IT cooperation and security validations and agreements provided as part of the install, and I’ve worked from both the Biomed and IT sides on these in the hospital setting.

    The article gives the impression of being about IoT with the home dishwasher, and most of us hackers speed read. And IoT to many of us is a brief “Slam, Bam, Thank You Ma’am, with a few short prayers added because we honestly wish a functional prophylactic were available. None yet is and for the home may never be.

    For my part, I apologize. I thought it was about rinky-dink IoT. It is not, I was wrong.

  9. I do not need to disconnect the dishwasher from the network, because I did not even think about connecting it firsthand. So yes I have a very restrictive firewall – a large air gap (and no WiFi in the dishwasher).
    I have to fill it, put detergent in it, switch it on with a big mains power switch and around an hour later I have to open it. Why in the world would I need or want network connection for the dishwasher?

  10. IOT is just a gateway drug to DRM. Keurig and John Deere rolled together on steriods. “Sorry, DW will not function because you are not using an approved soap. By the way, you installed the glass holder in the rack incorrectly. Please contact an authorized repair center or your warranty will void.”

      1. Exactly. The Dish modem at my house died yesterday. Their service, their hardware. I subscribe. I called to have it repaired. No warranty. They wanted to charge $95 for the service call–and tried to sell me an insurance program so I wouldn’t be charged a service call in the future!! All the costs of ownership, none of the benefits. They cancelled the charge when I phrased it as “Please repair your hardware so I can continue as a subscriber.” It bugs me that they even had the balls to ask.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s