Advertisement

Hackable IoT washing machine provides channel for breaching hospital IT

A software bug in the Miele PG 8528 — a model used in hospitals and other healthcare facilities to disinfect medical equipment — would allow a hacker to break into the network supporting each appliance to install malware and potentially gain access to other systems, newly published research suggests.
Miele PG 8528 -- background editing (CyberScoop)

A software bug in internet-connected washing machines — specifically a model used in hospitals and other healthcare facilities to disinfect medical equipment — would allow a hacker to break into the network supporting each appliance to install malware and potentially gain access to other systems, newly published research suggests.

Jens Regel, an IT security consultant at consultancy Schneider & Wulf, found the vulnerability in the PG 8528 model developed by German manufacturer Miele. The PG 8528 is shipped with a default Ethernet interface, enabling it to communicate with other devices that are also linked to a local, on-premise network.

Miele PG 8528 (photo by Miele)

Regel discovered that a vulnerable embedded web server linked to the Miele PG 8528 makes a “web server directory traversal” cyberattack possible. In such an incident, “an unauthenticated attacker may be able to exploit this issue to access sensitive information to aid in subsequent attacks,” he wrote in a blog post Friday.

Advertisement

In theory, a hacker with direct access to a connected PG 8528’s local network could target the machine to enter the rest of a hospital’s computer system, putting sensitive medical records at risk. The PG 8528 is not typically connected to the public internet, meaning that an attacker would likely require access to the local network, where one of these washing machines is connected, to exploit this bug.

It’s not uncommon for internet-connected appliances, otherwise known as “Internet of Things” devices, to lack basic digital security measures.

Recent media reports have highlighted a series of vulnerabilities in popular consumer-oriented internet-connected light bulbs, DVRs, thermostats, security cameras and GPS trackers. In one case, basic vulnerabilities were exploited to hijack hundreds of thousands of insecure devices to launch a large scale distributed denial of service, or DDoS, attack on internet traffic management company Dyn.

Regel told Vice’s MotherBoard and Help Net Security that Miele was informed of the aforementioned vulnerability in November. It remains unclear when and if a patch or update will be released by the German manufacturer.

In Washington, Congress has begun discussing legislation and regulation that may one day force so-called IoT companies to incorporate digital security in future products.

Advertisement

Last November, the Obama White House and Homeland Security Department also announced the release of rudimentary cybersecurity guidelines for IoT device makers. The voluntary recommendations stressed the need for a security-focused engineering approach in early development phases.

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts