Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Security

Security Flaws in Internet-Connected Hot Tubs Exposed Owners' Personal Data (techcrunch.com) 59

A security researcher found vulnerabilities in Jacuzzi's SmartTub interface that allowed access to the personal data of every hot tub owner. From a report: Jacuzzi's SmartTub feature, like most Internet of Things (IoT) systems, lets users connect to their hot tub remotely via a companion Android or iPhone app. Marketed as a "personal hot tub assistant," users can make use of the app to control water temperature, switch on and off jets, and change the lights. But as documented by hacker Eaton Zveare, this functionality could also be abused by threat actors to access the personal information of hot tub owners worldwide, including their names and email addresses. It's unclear how many users are potentially impacted, but the SmartTub app has been downloaded more than 10,000 times on Google Play.

"The main concern is their name and email being leaked," Zveare told TechCrunch, adding that attackers could also potentially heat up someone else's hot tub or change the filtration cycles. "That would make things unpleasant the next time the person checked their tub," he said. "But I don't think there is anything truly dangerous that could have been done -- you have to do all chemicals by hand." Eaton first noticed a problem when he tried to log in using the SmartTub web interface, which uses third-party identity provider Auth0, and found that the login page returned an "unauthorized" error. But for the briefest moment Zveare saw the full admin panel populated with user data flash on his screen.

This discussion has been archived. No new comments can be posted.

Security Flaws in Internet-Connected Hot Tubs Exposed Owners' Personal Data

Comments Filter:
  • by hdyoung ( 5182939 ) on Thursday June 23, 2022 @11:08AM (#62644804)
    Precious. Bodily. Fluids.
  • Ow! Too hot in the hot tub. Burns my flesh!

  • Which human quality is to blame for this display of ineptitude? And the fact that Jacuzzi basically gave this guy an IDGAF response when warned really adds to the already bad taste.
    • Which human quality is to blame for this display of ineptitude?

      Why are you even asking? The Disease of Greed has infected mankind for thousands of years. We will likely extinct ourselves right here on this dying rock, forever addicted to it.

      And the fact that Jacuzzi basically gave this guy an IDGAF response when warned really adds to the already bad taste.

      Uh huh. As if the Fuck You Very Much and Have a Nice Day responses from mega-corps are any better. Corporate response is now defined as Corporate Arrogance.

      In other words, they have more lawyers than you do. Every fucking time. Good luck, but they already know who will win, hence the Arrogance.

      • Let us all remember the "Ford memo" from way back when, and ponder why so many people *still* put blind faith in companies.

        • Let us all remember the "Ford memo" from way back when, and ponder why so many people *still* put blind faith in companies.

          "Because the estimated cost of repairs was about 2.5 times the estimate of the resulting benefits, Ford chose to do nothing, putting its profits above the value of human life."

          If profits above the value of human life is undoubtedly a bad thing, it tends to make you wonder about the bullshit excuses Greed has for keeping cigarettes legal.

  • Do ppl really care about temperature preference privacy? I'm tired of this chicken little privacy.

    • If you have hired a Private Detective on your SO because you think they are cheating on you, and you find the Hot Tub being used while they are suppose to be at work,

      • If you have hired a Private Detective on your SO because you think they are cheating on you, and you find the Hot Tub being used while they are suppose to be at work,

        I'm not saying it could be aliens...but it could be ALIENS

    • Do ppl really care about temperature preference privacy? I'm tired of this chicken little privacy.

      Well you probably won't, until you find our your insurance is charging you more because of the "increased risks" related to owning a hot tub.

      (You can stop pretending no one is buying these statistics-for-profit now.)

    • by ceoyoyo ( 59147 )

      Didn't even read the summary hey?

      The problem is that Jacuzzi sent all the control panel information to the requester, then asked for the password. That information included names and e-mail addresses.

      • by EvilSS ( 557649 )

        That information included names and e-mail addresses.

        OK, but so? It's not like that info isn't already available online from one of the millions of other leaks anyway. So now the dark web also knows I own a shitty IoT hottub as well. Meh.

  • I'm more concerned that a "bad person" could boil the hot tub.

    • Doesn't even take a bad person, only a hot-tub maker that isn't happy with your review.

      Ponder for a moment who really controls a hot-tub that you allegedly "control" with your cellphone, when you don't have a server receiving those commands from your phone but your hot tub has an internet connection.

  • First World Problem.

  • by Anonymous Coward on Thursday June 23, 2022 @11:32AM (#62644898)

    What's the need of a jaccuzi being connected to the internet ? The idea is ridiculous.
    What's the next headline ? How about :

    " man killed by malicious hacker while loading his internet connected dishwasher " ?

    Really.

  • When they went back in time?
  • by larryjoe ( 135075 ) on Thursday June 23, 2022 @12:11PM (#62645046)

    Why is network connectivity needed? So that people away from home can check on and control their hot tub while they're away? How about a panel of hardwired switches and knobs on the hot tub instead?

    • Yeah a panel of hard wired switches and knobs on the tub work great for controlling a hot tub while people are away. Seriously, why do you propose an idea you already determined unsuitable in your first sentence?

      Also get your fat arse up from the couch, my granddaddy didn't need the convenience of a remote and therefore you shouldn't either.

      • When people are away, they don't need to control the hot-tub. Ie, while I'm at my office I would feel the need to turn off two of the jets for some reason?

        This is set up on the phone for those people who feel that a phone must be the only remote control that exists. Some people use phones to turn the lights on and off in their house, because the light switch is for old farts. These hot tub users aren't controlling the hot tub when they're far away from it.

        The networking part is because the dumb IoT style

    • I'm sure this was the user story presented: So you are trying to save money, so you don't need your hot tub up to temp all the time, so you set it 10 degrees lower. Now, you look at the weather and see that it is going to be a gorgeous star filled night tonight, so you pop open the app while you are still at work and raise the temp to what you want. By the time you are off work and home, it is up to your preferred temperature and ready to go. Its the same reason to have a network connected ANYTHING ... .con
    • by Strider- ( 39683 )

      It's more that the hot tubs consume a lot of electricity just holding the water warm. Yeah the lights and stuff is a bit silly, but being able to control the temperature is pretty handy.

      In my own home, I can remotely control the heated floor in my bathroom. If I go away on a trip and forget to turn off the timer, I can do so remotely. It's rather nice.

      That said, it's all connected via Apple's HomeKit which is at least reasonably secure. In-house, it never goes to the outside world, all the control is local

    • by ljw1004 ( 764174 )

      Why is network connectivity needed? So that people away from home can check on and control their hot tub while they're away? How about a panel of hardwired switches and knobs on the hot tub instead?

      My 1000gallon spa takes ~8hrs to reach temperature from cold, ~4hrs if it still has residual heat from the past few days. I'd love to be able to switch it on remotely, so it'll be ready by the time I come home. I'd love to have remote temperature reporting so I know when to turn it on.

      I recently replaced the incandescent light with a daylight-temperature LED. But popular lights on the market are multi-color LEDs, and indeed it'd be fun to change the ambience with different colors. It's quite awkward to run

  • Sure they do! It goes along perfectly with their Internet connected, fridge, hairdryer and toothbrush. Still waiting for the Internet connected toilet so we can keep China FULLY informed.
  • Remember back in the early days if the internet (early 1990s) some fellow had a website reporting the status of his hot tub (if I remember correctly). Anyone recall the details?
    • by whitroth ( 9367 )

      1980s, I think, and it was a dorm in MIT that monitored the soda vending machine in the lobby.

  • So you can control it while you're in the hot tub and holding your mobile, allowing you to drop it and short it out.

    Right?

    • It doesn't even do that. You're telling the manufacturer to do that to your hot tub. Essentially, you're trusting the manufacturer not only to continue existing and supporting your hot tub, you're also trusting them to do what you want.

      That's way, way more trust than I'd recommend putting into any manufacturer of shoddy IoT crap.

      • Essentially, you're trusting the manufacturer not only to continue existing and supporting your hot tub,

        You're making a lot of assumptions about the ability to locally control the hot tub. Hint: For all the doom and gloom the anti internet connected crowd loves to spew here, the reality is in the overwhelming majority of cases with the absence of the manufacturer or an internet connection the device continues to function exactly the same way as the "alternative" products people often promote.

        • As in, like a "dumb" hot tub?

          Yeah, pretty much. Ok, with a free security problem thrown into the deal, but hey...

    • allowing you to drop it and short it out.

      I'm not sure what kind of phone you have. But here's a story. We were on a Greek island a few months ago, water so clear you'd swear it was a movie trick. Up to the second level of the deck I go, and dive off the side of the boat into that beautiful water. Guy behind me does the same. We nod at each other while swimming in the sea at how fucking awesome life is.

      Then he pulls his phone out of his pocket shakes the water off the lens and starts filming so he can get a video of his girlfriend diving. Then he p

  • You're dealing with a bunch of people who are probably, maybe, or at least possibly, good at making the appliance they sell you, be that a hot tub, a TV set, a refrigerator or a toaster. But these people have ZERO experience dealing with security, and they sure as all hell don't have the money to hire someone who does. So what you have there is people with the security knowledge you used to see in webpages of the 1990s, facing the thread of attackers that know all those cheap shots and then some more, all t

  • You decided that an object of intimacy like a hot tub should be "smart" and always connected to the internet. So look what happened.

    I won't even bother breaking out the tiny violin for that saddest song for you.

  • by Ziest ( 143204 )

    This Internet of Things is really starting to get out of hand. Do they have WiFi connected butt plugs?

  • In its infancy.

  • Users should expect that their personal "data" is going to be exposed in a hot tub.

  • Set the temperature to 101F and then switch the units to Celsius. A surprising number of hot tub controllers will then set the heat level to 101C.
  • Who would be foolish enough to give Jacuzzi a real name and email address just so they can control their hot tub with an app?
  • Don't buy IoT devices that rely on cloud services; IoT devices best live on an isolated VLAN in your home. If you buy one, see if it can work without the cloud. For instance, DoorBird smart doorbells come with a cloud service, but they run on open protocols and you can connect them to your own server instead of their cloud.
  • Hot tubs have thermo h/w cut offs for over temp and temperature breakers in the motor housing. (At least my tubs did..) These will trip and cut heat or motor before scalding. Just like water heaters.

"Can you program?" "Well, I'm literate, if that's what you mean!"

Working...