A Miele industrial dishwasher intended for hospital use has caused general concern after a security vulnerability was found by researchers.

The appliance’s built-in web server, used to receive instructions from a remote browser, was found to be prone to an attack that allows unauthorized parties to access sensitive information, including configuration files and shadow passwords, which could then be leveraged to mount further attacks.

Jens Regel of German company Schneider-Wulf reportedly contacted Miele about this discovery in late 2016, but the company initially failed to respond. Unsurprisingly, there was no established process for reporting software bugs. Compounding the problem, the dishwasher’s documentation reveals extremely little about the build of the firmware or web server.

This is yet another example of the challenges faced by companies who haven’t traditionally made internet products connecting their devices to the ‘net. Ashkan Soltani, a security researcher who spent a year as the FTC’s Chief Technologist, wrote in a blog post in 2015:

“Growth and diversity in IoT hardware also means that many devices introduced in the IoT market will be manufactured by new entrants that have very little prior experience in software development and security.”

Security costs money. Privacy costs money. The perpetual question is: what will cause companies to prioritize spending on impact assessments, penetration testing and hiring security people? Is it the threat of market punishment, lawsuits, or regulation?