Internet-Connected Medical Washer-Disinfector Found Vulnerable to Hacking

Internet-of-Things devices are turning every industry into the computer industry, making customers think that their lives would be much easier with smart devices.

There are, of course, some really good reasons to connect certain devices to the Internet. For example, remotely switching on your A/C a few minutes before you enter your home, instead of leaving it blasting all day.

But does everything need to be connected?

Of course, not. One such example is the latest bug report at Full Disclosure, affecting an Internet-connected washer-disinfector appliance by Germany-based manufacturer Miele.

The Miele Professional PG 8528 appliance, which is used in medical establishments to clean and properly disinfect laboratory and surgical instruments, is suffering from a Web Server Directory Traversal vulnerability.

Jens Regel of German consultancy Schneider & Wulf has discovered the flaw (CVE-2017-7240) that allows an unauthenticated, remote attacker to access directories other than those needed by a web server.

Once accessed, the attacker can steal sensitive information stored on the server and even insert their own malicious code and tell the web server to execute it.

“The corresponding embedded web server ‘PST10 WebServer’ typically listens to port 80 and is prone to a directory traversal attack, [and] therefore an unauthenticated attacker may be able to exploit this issue to access sensitive information to aid in subsequent attacks,” Regel explained.

Proof-of-Concept Exploit Code Released!

Regel also published proof-of-concept (PoC) exploit code for this vulnerability, which means hackers can now exploit the vulnerability before the vendor issue a patch.

Read full story…