If it's connected to the internet, it can be hacked. In an age where manufacturers are rushing to put any kind of device onto the internet, we're quickly finding out that how adage holds true. Crock-pots, light bulbs, thermostats, GPS trackers for kids, billboards, and even teddy bears have all been hacked recently.
Alas, that's not stopping anyone from connecting stuff to the internet. The German domestic-appliance giant Miele decided to make a dishwasher that can be connected to the internet and, of course, someone found out it has a bug that allows hackers to break into it, infect it with malware, and give them the opportunity to use it as leverage to hack other devices on the network.
The worst part of all this is that this ain't your average dishwasher. This is a "washer-disinfector" that's mostly used in hospitals or medical facilities and labs. So it can be a good target if your end goal is to steal private medical information or maybe hold the hospitals' computers for ransom.
Jens Regel, a security consultant, found a "web server directory traversal" bug in the Miele PG 8528 when he was prodding a network for vulnerabilities during a consulting gig, what's known in the industry as a penetration test or "pentest." That kind of vulnerability allows an unauthorized attacker to gain access to the file system of the server to which the machine connects to.
"The worst case scenario is an attacker is able to infect the system with malware and is in a position to attack other devices in the network," Regel told Motherboard in an email.
The good news is that, according to Regel, these dishwasher shouldn't be directly available over the internet, so in theory hackers would need to already be on the local network to attack the dishwasher.
But at some point, at least one of these dishwashers was connected and findable on the internet, according to Dan Tentler, a security researcher who's one of the best at finding internet of things that shouldn't be online.
"This is fucking hilarious. A dishwasher on the internet," Tentler told Motherboard in an online chat, explaining that it's possible he might be able to find more in the future, now that he knows how to look for them.
"This is fucking hilarious. A dishwasher on the internet."
The main problem with these kind of devices having connectivity is that the manufacturers making them have little to no experience dealing with cybersecurity. In this case, Regel tried to contact Miele in November of last year to alert them of the issue, but after an initial conversation with a representative, the company never got back to him.
We contacted Miele but a spokesperson only said on Monday that the company "is checking what happened in this case and will come back to you as soon as possible."
This story has been updated to include the information that at least one the Miele dishwashers was connected to the internet.
Subscribe to pluspluspodcast, Motherboard's new show about the people and machines that are building our future.