UPDATED 20:52 EST / JUNE 21 2022

SECURITY

Security issue in smart jacuzzi software exposes user data

A researcher has found a security issue in software used by smart jacuzzis — hot tubs that connect to the internet, or as one wag put it, a “hot tub crime machine” — that exposes user data.

Detailed Monday by security researcher EatonWorks, the security issue was found in software used in models produced by Jacuzzi Brands LLC, a leading hot tub and spa manufacturer. The company’s smart jacuzzis offer a “SmartTub” feature to allow users to connect to the jacuzzi remotely.

SmartTub consists of two elements: a module inside the tub with cell data reception that can access and control the jacuzzi and an Android and iOS app. The tub is always connected to a central server and provides status updates and listings for commands such as turning on lights and jets, setting water temperature and other features. The service also integrates with Alexa, Google Assistant, Google Wear OS and Apple Watch.

The security issues first arose when Eaton, who appears to live online under a single name, tried to log in to SmartTub using a password manager but was instead taken to the wrong website that stated he wasn’t authorized to enter. “Right before that message appeared, I saw a header and table briefly flash on my screen,” Eaton wrote. “I was surprised to discover it was an admin panel populated with user data.”

Having discovered the data, Eaton then tried to bypass the restrictions and obtain access using a program called Fiddler to intercept and modify some code that told the website they were an admin. The bypass was successful, with the amount of data found described as staggering. “I could view the details of every spa, see its owner and even remove their ownership,” Eaton explained.

Fortunately, Eaton is an ethical hacker and did not steal or manipulate the data uncovered. Jacuzzi Brands was first informed of the security issue in early December with the issue finally resolved by June 4. Eaton describes ongoing communications issues with the company, including no responses to his emails, be it that they did finally act on fixing the issue.

“This was somewhat of a standard IoT hack and we can expect hundreds of thousands of them in the coming decade,” Roger Grimes, data-driven defense evangelist at security awareness training company KnowBe4 Inc., told SiliconANGLE. “The ultimate issue was a poorly secured admin console website in which admin credentials could be bypassed. This is very common type of vulnerability and had the website been subjected to any type of security code review or pen test it would have been caught and could have been remediated before people’s data was compromised.”

Grimes added that the more concerning part was how long it took to get the bug resolved by the involved vendor.

“He contacts them over and over, gets delayed, ignored and tries again,” Grimes explains. “It should not be so hard for a bug finder to report a bug and get that vendor to acknowledge the bug, thank and remunerate the bug finder and for the bug to be fixed. There are always going to be bugs. It’s how the vendor responds when they are reported that matters the most in the long run.”

Image: Jacuzzi Brands

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU