A researcher has found a security issue in software used by smart jacuzzis – hot tubs that connect to the internet, that exposes user data.
Detailed by security researcher EatonWorks, the security issue was found in software used in models produced by Jacuzzi Brands LLC, a leading hot tub and spa manufacturer. The company’s smart jacuzzis offer a “SmartTub” feature to allow users to connect to the jacuzzi remotely.
SmartTub consists of two elements – a module inside the tub with cell data reception that can access and control the jacuzzi and an Android and iOS app. The tub is always connected to a central server and providers status updates and listings for commands such as turning on lights, jets, setting water temperature and other features. The service also integrates with Alexa, Google Assistance, Wear OS and Apple Watch.
The security issues first arose when Eaton tried to log in to SmartTub using a password manager but was instead taken to the wrong website that stated he wasn’t authorized to enter. “Right before that message appeared, I saw a header and table briefly flash on my screen,” Eaton wrote. “I was surprised to discover it was an admin panel populated with user data.”
Having discovered the data, Eaton then tried to bypass the restrictions and obtain access using a program called Fiddler to intercept and modify some code that told the website they were an admin. The bypass was successful, with the amount of data found described as staggering. “I could view the details of every spa, see its owner and even remove their ownership,” Eaton explains.
Fortunately, Eaton is an ethical hacker and did not steal or manipulate the data uncovered. Jacuzzi Brands was first informed of the security issue in early December with the issue finally resolved by June 4. Eaton describes ongoing communications issues with the company, including no responses to his emails, be it that they did finally act on fixing the issue.
“This was somewhat of a standard IoT hack and we can expect hundreds of thousands of them in the coming decade,” Roger Grimes, data-driven defense evangelist at security awareness training company KnowBe4 Inc., told SiliconANGLE. “The ultimate issue was a poorly secured admin console website in which admin credentials could be bypassed. This is a very, very common type of vulnerability and had the website been subjected to any type of security code review or pen test it would have been caught and could have been remediated before people’s data was compromised.”
Grimes added that the more concerning part was how long it took to get the bug resolved by the involved vendor.
“He contacts them over and over, gets delayed, ignored and tries again,” Grimes explains. “It should not be so hard for a bug finder to report a bug and get that vendor to acknowledge the bug, thank and remunerate the bug finder and for the bug to be fixed.”
“The vendor here compounds the original vulnerability with poor response to the bug report,” Grmines added. “The latter disturbs me more than the former. There are always going to be bugs. It’s how the vendor responds when they are reported that matters the most in the long run.”