Miele Dishwasher Hackable – firm doesn’t respond to disclosure

Not a week goes by without a security incident. This time, a “smart” dishwasher, manufactured by Miele, has been found to include a critical security vulnerability that allows arbitrary code execution.

The German domestic-appliance giant Miele decided to make a dishwasher that can be connected to the internet and, of course, someone found out it has a bug that allows hackers to break into it, infect it with malware, and give them the opportunity to use it as leverage to hack other devices on the network.

"The worst case scenario is an attacker is able to infect the system with malware and is in a position to attack other devices in the network," Regel told Motherboard in an email.

The main problem with these kind of devices having connectivity is that the manufacturers making them have little to no experience dealing with cybersecurity. In this case, Regel tried to contact Miele in November of last year to alert them of the issue, but after an initial conversation with a representative, the company never got back to him.

The problem here, of course, isn’t that someone’s going to manipulate some sensitive data on your dishwasher, but that it gives attackers a beachhead on your network from which to mount subsequent attacks. That’s the problem with IoT security: individual security issues might not seem so critical in isolation – it’s just a dishwasher after all – but as they are usually embedded in complex network topographies, the overall effect could be quite drastic.

Remember that the Target Hack was mounted from a compromised HVAC system.

But how the manufacturer failed to respond to the disclosure of the vulnerability is revealing. It’s probably not even a refusal to engage, but an inability. These are white goods manufacturers. They have no experience in dealing with IT security.

In German law, there’s a provision for firms of a certain size that handle sensitive data to appoint a Data Protection Officer. From my understanding, that’s part of the EU’s General Data Protection Regulation as well. Maybe we should think about a similar provision for IT/IoT security contacts, as clearly the industry isn’t going to do it themselves.