February 18, 2020
Security researcher Bob Diachenko has noticed an unusual type of information in a publicly available instance on the Heartbeat monitoring service. Upon further inspection, the researcher figured out that the data belonged to people who owned Whirlpool appliances, and the database was hosting full system scan reports. As it became apparent very quickly, the database received new entries every hour. This means that Whirlpool is scanning their appliances in very frequent time intervals, checking their internet connection status. If they were online, Whirlpool collected the SAID numbers, model name and number, various attributes, and the customer email.
The exposed database contained more than 28.1 million records, which means that the email addresses of that number of people have been potentially compromised. While losing your email address isn’t exactly catastrophic, having this information correlated with other data can lead to phishing attacks and other forms of targeting. Moreover, scanning a device every 60 minutes is a bit too much as a practice, even if it is done on benevolent intentions.
The researcher informed the century-old American manufacturer, and they took the database and service instance down the following day. Their official statement came a couple of days later, and it was the following:
“Our company was recently made aware of potential security concerns with respect to one of its databases. The database was immediately taken offline and secured. Our investigation showed that 48,000 emails were publicly available – but no confidential information was exposed. We are in the process of reaching out to impacted consumers. Our company appreciated this notification so the issue could be quickly addressed.”
The fact that 28.1 million records corresponded to just 48000 email addresses is up to you to accept. In the same way that using Whirlpool IoT appliances is up to you to decide. Generally, whatever is connected to the internet constitutes a privacy and security risk. This case of dishwashers and refrigerators phoning back to Whirlpool every hour works perfectly to highlight the risks that we consumers often forget when dealing with smart devices.