Miele's networked disinfecting hospital dishwasher has a gaping security flaw

The Miele PG 8528 is a "washer-disinfector" intended for hospitals and other locations with potentially dangerous pathogens on their dirty dishes; it's networked and smart. And dumb.


The PG 8528 is vulnerable to a web server directory traversal attack; connect to it with a browser and you can break out of its web server and attack its whole filesystem, implanting malware that you can use to attack other devices on the network (like this widely used automated drug cabinet with 1600+ known vulnerabilities and no new patches coming).


The PG 8528 isn't supposed to be connected to the public internet, but at least one has been spotted in the wild, because being good at running a hospital doesn't make you good at information security.


Miele was notified of the bug, but, after a cursory followup, dropped it and pretended it didn't matter.


But at some point, at least one of these dishwashers was connected and findable on the internet, according to Dan Tentler, a security researcher who's one of the best at finding internet of things that shouldn't be online.

"This is fucking hilarious. A dishwasher on the internet," Tentler told Motherboard in an online chat, explaining that it's possible he might be able to find more in the future, now that he knows how to look for them.


A Hackable Dishwasher Is Connecting Hospitals to the Internet of Shit
[Lorenzo Franceschi-Bicchierai/Motherboard]