The utterly predictable vulnerability advisory on the Full Disclosure mailing list details CVE-2017-7240 – aka "Miele Professional PG 8528 - Web Server Directory Traversal.” This is the built-in web server that's used to remotely control the glassware-cleaning machine from a browser. The corresponding embedded Web server 'PST10 WebServer' typically listens to port 80 and is prone to a directory traversal attack, therefore an unauthenticated attacker may be able to exploit this issue to access sensitive information to aid in subsequent attacks,” reads the notice, dated Friday.
The Register turns the knife on bug discoverer, Jens Regel, who was at pains to stress the vulnerable (left) Miele unit is not a household dishwasher, but a commercial-level washer and disinfector. “To our mind, that's as bad, if not worse: it's a vulnerability in a business-critical device, still without appropriate attention or responsiveness to security issues,” comments The Register.
Cesare Galarti, Chief Security Strategist at prpl Foundation (right) had this to say. “Appliance makers keen to push boundaries on connected devices need to be aware that these days, even something as seemingly harmless as a dishwasher has the potential exploit sensitive information about the user. As such, they need to be very careful that the expertise is in place to deal with such connectivity and security issues.
One fix is using security by separation, where virtualisation at the hardware level is used to separate critical functions of the appliance from less critical functions, so that the device is less likely to be compromised. For users, it should serve as a reminder to think about the not so obvious ways in which they are leaving themselves exposed to cyber criminals and follow best practice, that includes closing all ports on their home gateways.“
A report carried out by researchers from Princeton University has found some worrying privacy flaws in a number of connected devices, including the Google-owned Nest thermostat. Sarthak Grover and Nick Feamster published their research, titled “The Internet of Unpatched Things,” to better understand the security landscape for consumer smart devices. Broadly speaking, they found that low capability hardware meant that security protocols were lacking.
A traffic analysis of the Nest thermostat found that incoming weather updates leaked user location data to a high degree of accuracy, with latitude and longitude figures displayed to within 8 decimal digits. However, Nest is far from the worst of the IoT devices when it comes to user privacy. The PixStar Digital Photoframe leaked the user email ID and user activity in plain text, while the Ubi Smart Speaker allowed malicious actors to intercept all voice chat and sensor readings.
According to the study, the fragmented nature of the Internet of Things in its present state is contributing to the security issues. The multitude of IoT manufacturers combined with a lack of industry standardisation means that it is difficult to enforce baseline security protocols.
Nest will be keen to avoid any reputational damage as a result of the report, particularly given the company’s ambitious aims in the smart home market. In an interview with Internet of Business late last year, (left) Lionel Paillet, Nest’s GM for Europe, (left) emphasised that the company sees itself as much more than a smart thermostat business, instead targeting the entire connected home market.
Currently, the most pressing concern for Nest is dealing with a recently discovered software bug that has left some users without heating just as temperatures have begun to fall. The glitch drains the thermostat’s battery life, leaving the system deactivated. Although Nest has published a nine-step workaround for affected users, a software patch to resolve the issue has yet to be released.