Last month a researcher announced that a commercial dishwashing machine contained a dangerous vulnerability allowing a remote attacker to gain access to privileged assets on a connected network. Jens Regel of the German company Schneider & Wulf made the vulnerability public on Full Disclosure after contacting the vendor and waiting the customary 90 days. The vendor, Miele, has yet to respond.
When contacted after the disclosure, a company representative told Motherboard last Monday that Miele “is checking what happened in this case and will come back to you as soon as possible.” That’s a problem with the Internet of Things (IoT) today. If a device is connected to the internet, it should expect to be pwned, and more and more we’re seeing evidence of that in the strangest of places.
A directory traversal vulnerability (CWE-22 -Improper Limitation of a Pathname to a Restricted Directory or ‘Path Traversal’) allows remote attackers to use HTTP (the internet) to access restricted directories. Once accessed, an attacker can execute commands outside of the web server’s root directory on the network giving control of the at-risk system and enabling the exfiltration of sensitive information.
“The corresponding embedded webserver ‘PST10 WebServer’ typically listens to port 80 and is prone to a directory traversal attack, therefore an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks,” Regel said. He said proof can be had with a simple GET statement:
/ GET /../../../../../../../../../../../../etc/shadow HTTP/1.1
The vulnerability has been assigned CVE-2017-7240 by NIST. Its CVSS score is 5 out of 10.
The model, Miele Professional PG 8528, is a professional dishwasher intended for hospitals. A common web server connects a device to the internet using HTTP (Hypertext Transfer Protocol) to serve the files that form Web pages, so a user could control the information from the device with a desktop browser or a mobile app.
Miele touts the model’s physical RS-232 port as facilitating “the exchange of data with other appliances, e.g. for process documentation.” It intends the wire feature for retrieving text reports from a bar code scanner or “to transmit report data to a documentation system, external storage media or a report printer.” The device also includes an Ethernet connection that provides “a particularly high level of functionality.” This means the dishwashers can be connected to existing networks, such as documentation systems. While convenient, it opens a whole can of worms.
Simply adding connectivity without determining whether there are any vulnerabilities in the software components being added is a newbie mistake. Software composition analysis should always be performed on the cyber supply chain, so that third-party components are added without defects. Although only a few years old, IoT already has millions of devices with questionable legacy software.
To drive this point, this past February a bored student attacked known vulnerabilities in wireless printers around the world with a playful message about botnets (there was no botnet). Last summer, someone used surveillance cameras to create a botnet that temporarily shut down internet service on the East Coast of the united states. Although the surveillance cameras didn’t have a software flaw (it was a hard-coded password) it nonetheless demonstrates the power of these devices once they are pwned.
Miele makes household dishwashers as well. At the moment, the consumer models are not connected to the internet. What makes the professional dishwashers so dangerous is they are more likely to be connected to sensitive information. As we saw in the Target breach, remote access through a third-party heating, ventilation, and air conditioning (HVAC) system was enough to allow the attackers onto the internal network and find and exploit the company’s credit card database.
A hospital network is likely to be more segmented. However, a sophisticated attacker could still leverage multiple vulnerabilities so it’s best not to leave any ports open. And while the network would mostly likely be an internal network, security researcher Dan Tentler told Motherboard in an online chat that at least one dishwasher IP address is discoverable on the internet today. It is possible he might be able to find more in the future, now that he knows how to look for them.
Speaking at Cloud Expo Europe last month, Mikko Hyppönen, chief research officer at F-Secure, said the security of IoT is not likely to get better soon. “It’s going to be so cheap that vendors will put the chip in any device, even if the benefits are only very small. But those benefits won’t be benefits to you, the consumer, they’ll be benefits for the manufacturers because they want to collect analytics,” he said.
And, frankly, the idea of internet connectivity in home appliances is still foreign to most consumers. “When you buy a washing machine, price is the most important selling point. Nobody’s asking, ‘does it have a firewall or intrusion prevention systems?’ Cybersecurity isn’t a selling point for a washing machine, so why would manufacturers invest money in it?” Hypponen adds.
To keep ahead of these threats, start early. If it’s not being done already, secure architecture and design should kick off all new software development for IoT projects. Start with a threat model and then design the security architecture around that. Remove features that are unnecessary for the operation of the device.
Test often. Static analysis can find common software weaknesses. Fuzz testing can find unknown unknowns. And, as mentioned, be weary of third-party code. Do not blindly accept open source code without making sure it is the latest and greatest.
With a little vigilance, embedded software in IoT can be both secure and reliable.