Internet of Things (IoT) devices are turning up everywhere. Many people think their lives will be easier with smart devices.
There are some really good reasons to connect certain devices to the Internet. Remote monitoring of industrial equipment and machinery is done using Internet connected devices.
But everything doesn’t have to be connected. And in the case of medical equipment, it is important to understand the consequences of a casual connection to the Internet.
According to The Hacker News report on Monday, March 27th, 2017, the Miele Professional PG 8528 appliance, which is used in medical establishments to clean and properly disinfect laboratory and surgical instruments, is suffering from a Web Server Directory Traversal vulnerability.
Jens Regel of German consultancy Schneider & Wulf has discovered the flaw that allows an unauthenticated, remote attacker to access directories other than those needed by a web server.
Jens has filed a bug report which outlines the vulnerability in the Miele appliance when it is connected to the internet.
According to the report the basis of the problem is this: “The corresponding embedded webserver ‘PST10 WebServer’ typically listens to port 80 and is prone to a directory traversal attack, therefore an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks.”
And here is the code used to do it –
The bug report goes on to give a proof of concept which demonstrates the vulnerability and the sequence used. Once accessed, the attacker can steal sensitive information stored on the server and even insert their own malicious code and tell the web server to execute it.
The PoC exploit is simple and anyone can run it:
GET /../../../../../../../../../../../../etc/shadow HTTP/1.1 to whatever IP the dishwasher has on the LAN.
According to The Hacker News, Jens privately disclosed the vulnerability to Miele in November 2016, but did not hear back from the vendor for more than three months. So, it is unknown at this time when a fix can be expected (or if it already exists).
You may want to disconnect this machine from the internet, until you find out if the vulnerability has been repaired.