Hackable IoT washing machine provides channel for breaching hospital IT
A software bug in internet-connected washing machines — specifically a model used in hospitals and other healthcare facilities to disinfect medical equipment — would allow a hacker to break into the network supporting each appliance to install malware and potentially gain access to other systems, newly published research suggests.
Jens Regel, an IT security consultant at consultancy Schneider & Wulf, found the vulnerability in the PG 8528 model developed by German manufacturer Miele. The PG 8528 is shipped with a default Ethernet interface, enabling it to communicate with other devices that are also linked to a local, on-premise network.
Regel discovered that a vulnerable embedded web server linked to the Miele PG 8528 makes a “web server directory traversal” cyberattack possible. In such an incident, “an unauthenticated attacker may be able to exploit this issue to access sensitive information to aid in subsequent attacks,” he wrote in a blog post Friday.
In theory, a hacker with direct access to a connected PG 8528’s local network could target the machine to enter the rest of a hospital’s computer system, putting sensitive medical records at risk. The PG 8528 is not typically connected to the public internet, meaning that an attacker would likely require access to the local network, where one of these washing machines is connected, to exploit this bug.
It’s not uncommon for internet-connected appliances, otherwise known as “Internet of Things” devices, to lack basic digital security measures.
Recent media reports have highlighted a series of vulnerabilities in popular consumer-oriented internet-connected light bulbs, DVRs, thermostats, security cameras and GPS trackers. In one case, basic vulnerabilities were exploited to hijack hundreds of thousands of insecure devices to launch a large scale distributed denial of service, or DDoS, attack on internet traffic management company Dyn.
Regel told Vice’s MotherBoard and Help Net Security that Miele was informed of the aforementioned vulnerability in November. It remains unclear when and if a patch or update will be released by the German manufacturer.
In Washington, Congress has begun discussing legislation and regulation that may one day force so-called IoT companies to incorporate digital security in future products.
Last November, the Obama White House and Homeland Security Department also announced the release of rudimentary cybersecurity guidelines for IoT device makers. The voluntary recommendations stressed the need for a security-focused engineering approach in early development phases.