Internet-of-Things devices are turning every industry into the computer industry, making customers think that their lives would be much easier with smart devices.
There are, of course, some really good reasons to connect certain devices to the Internet. For example, remotely switching on your A/C a few minutes before you enter your home, instead of leaving it blasting all day.
But does everything need to be connected?
Once accessed, the attacker can steal sensitive information stored on the server and even insert their own malicious code and tell the web server to execute it.
“The corresponding embedded web server ‘PST10 WebServer’ typically listens to port 80 and is prone to a directory traversal attack, [and] therefore an unauthenticated attacker may be able to exploit this issue to access sensitive information to aid in subsequent attacks,” Regel explained.
Proof-of-Concept Exploit Code Released!
Regel also published proof-of-concept (PoC) exploit code for this vulnerability, which means hackers can now exploit the vulnerability before the vendor issue a patch.
It’s unclear which libraries Miele used to craft the Web server, though, according to Regel, he’s able to request the embedded system’s shadow file – and by extension any file on the filesystem.
The researcher privately disclosed the vulnerability to Miele in November 2016, but did not hear back from the vendor for more than three months. So, it when a fix can be expected (or if it exists) is still unknown.
Therefore, the best option to keep yourself secure is to disconnect the appliance from the Internet for the time being until the patch is released.