{"id":2203,"date":"2017-03-27T17:31:01","date_gmt":"2017-03-27T15:31:01","guid":{"rendered":"https:\/\/www.ofcourseimright.com\/?p=2203"},"modified":"2017-03-27T17:31:01","modified_gmt":"2017-03-27T15:31:01","slug":"yet-another-iot-bug","status":"publish","type":"post","link":"https:\/\/ofcourseimright.com\/?p=2203","title":{"rendered":"Yet another IoT bug"},"content":{"rendered":"

\"\"The Register is reporting a new IoT bug <\/a>involving Miele PG 8528 professional dishwashers, used in hospitals and elsewhere.\u00a0 In this case, it is a directory traversal bug involving an HTTP server that resides on port 80.\u00a0 In all likelihood, the most harm this vulnerability will\u00a0directly <\/strong>cause is that the dishwasher would run when it shouldn\u2019t.\u00a0 However, the indirect<\/strong> risk is that the device could be used to exfiltrate private information about patients and staff.\u00a0 The vulnerability is reported here<\/a>.<\/p>\n

Manufacturers expect that it will be very simple to provide Internet services on their devices.\u00a0 To them, initially, they think that it\u2019s fine to slap a transceiver and a simple stack on a device and they\u2019re finished.\u00a0 They\u2019re not.\u00a0 They need to correct vulnerabilities such as this one.\u00a0 They apparently have no mechanism to do so.\u00a0 Manufacturers such as Miele are experts within their domains, such as building dishwashers.\u00a0 They are not experts in Internet security.\u00a0 It is a new world when these two domains intersect.<\/p>\n

We need MUD<\/strong><\/p>\n

And yes, Manufacturer Usage Descriptions<\/a> would have helped here, by restricting communication either to all local devices or to specifically authorized devices.<\/p>\n","protected":false},"excerpt":{"rendered":"

Miele could have benefited from MUD, as well as the experience of the Internet security community.<\/p>\n","protected":false},"author":172,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[545,536,9],"tags":[563,511,518],"class_list":["post-2203","post","type-post","status-publish","format-standard","hentry","category-iot","category-mud","category-security","tag-internet-of-threats","tag-iot","tag-mud"],"_links":{"self":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/2203","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/users\/172"}],"replies":[{"embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2203"}],"version-history":[{"count":1,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/2203\/revisions"}],"predecessor-version":[{"id":2205,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/2203\/revisions\/2205"}],"wp:attachment":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2203"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2203"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2203"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}