The Register is reporting a new IoT bug involving Miele PG 8528 professional dishwashers, used in hospitals and elsewhere. In this case, it is a directory traversal bug involving an HTTP server that resides on port 80. In all likelihood, the most harm this vulnerability will directly cause is that the dishwasher would run when it shouldn’t. However, the indirect risk is that the device could be used to exfiltrate private information about patients and staff. The vulnerability is reported here.
Manufacturers expect that it will be very simple to provide Internet services on their devices. To them, initially, they think that it’s fine to slap a transceiver and a simple stack on a device and they’re finished. They’re not. They need to correct vulnerabilities such as this one. They apparently have no mechanism to do so. Manufacturers such as Miele are experts within their domains, such as building dishwashers. They are not experts in Internet security. It is a new world when these two domains intersect.
We need MUD
And yes, Manufacturer Usage Descriptions would have helped here, by restricting communication either to all local devices or to specifically authorized devices.