Security issue in smart hot tub software exposes user data

A researcher has discovered a security issue in the software used by smart hot tubs – hot tubs that connect to the internet, or as a wag put ita “spa crime machine” – which exposes user data.

Detailed by security researcher EatonWorks on Monday, the security issue was discovered in software used in models produced by Jacuzzi Brands LLC, a leading manufacturer of hot tubs and hot tubs. The company’s smart hot tubs offer a “SmartTub” feature to allow users to connect to the hot tub remotely.

SmartTub consists of two elements: a module inside the bathtub with cellular data reception which can access and control the jacuzzi and an Android and iOS application. The tub is always connected to a central server and provides status updates and lists of commands such as turning on lights and jets, adjusting water temperature, and other features. The service also integrates with Alexa, Google Assistant, Google Wear OS, and Apple Watch.

The security issues first surfaced when Eaton, who appears to live online under a single name, tried to log into SmartTub using a password manager, but was directed to the wrong one. website saying he was not allowed to enter. “Just before this message appeared, I saw a header and a table flash briefly on my screen,” Eaton wrote. “I was surprised to find it was an admin panel full of user data.”

After discovering the data, Eaton then attempted to circumvent the restrictions and gain access using a program called Fiddler to intercept and modify a code telling the website that he was an administrator. The bypass was successful, with the amount of data found described as staggering. “I could see the details of each spa, see its owner, and even remove its ownership,” Eaton explained.

Fortunately, Eaton is an ethical hacker and did not steal or manipulate the discovered data. Jacuzzi Brands was first notified of the security issue in early December, and the issue was finally resolved on June 4. Eaton describes ongoing communication issues with the company, including no response to their emails, even though they eventually took action to resolve the issue.

“It was sort of a standard IoT hack and we can expect hundreds of thousands of them in the coming decade,” said Roger Grimes, data-driven defense evangelist at the security awareness training company KnowBe4 Inc., at SiliconANGLE. “The ultimate problem was a poorly secured admin console website where admin credentials could be bypassed. This is a very common type of vulnerability and if the website had been subjected to any type of security code review or penetration test would have been detected and could have been fixed before people’s data was compromised.

Grimes added that the most concerning part was the time it took for the bug to be resolved by the affected vendor.

“He contacts them again and again, gets delayed, ignored, and tries again,” Grimes says. “It shouldn’t be that hard for a bug finder to report a bug and get that vendor to acknowledge the bug, thank and compensate the bug finder, and get the bug fixed. There will always be bugs. It’s how the provider responds when they’re reported that matters the most in the long run.

Image: Jacuzzi Brands

Show your support for our mission by joining our Cube Club and our Cube Event community of experts. Join the community that includes Amazon Web Services and CEO Andy Jassy, ​​Dell Technologies Founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many other luminaries and experts.

Comments are closed.