Researcher Finds Smart Jacuzzis Exposing User Data
Smart hot tubs—yes, that’s a thing!—are the web’s newest spot for cybersecurity snafus.
Florida-based cybersecurity researcher Eaton Zveare was first to document the Internet of Tubs issue on his personal blog, after he came face-to-face with the flaw while setting up the internet-enabled functionality of own Jacuzzi-branded tub. What he quickly found was that these smart features could also give bad actors access to his personal data—and the data of many other SmartTub aficionados.
Our everyday devices are getting smarter and smarter, but whenever something’s connected to the internet, dumb security flaws follow. We’ve seen coffee pots exposed to ransomwareprivate feeds from baby monitors leaking onlineor anything on the Internet of Shit Twitter feed† The ignominious pantheon’s newest addition: the Jacuzzi SmartTub (and a bunch of others).
Yes, Jacuzzi’s entire smart apparatus is literally called SmartTub† Like just about every other IoT service, SmartTub is built for convenience: it lets owners connect to their tubs with an associated Android or iOS app, and that app, in turn, keeps those owners aware of any power outages or system issues, while also letting them change their tub’s temperature and jets from the comfort of their handheld device. Apparently, the feature’s popular enough that there’s over 10,000 downloads for the SmartTub app in the Google Play Store alone†
But when When Zveare first tried setting up his own account on the website associated with the tub app, he noticed something strange; his screen threw up a notice telling him that he was “unauthorized” to access that site. Right before that notice went up though, the researcher saw a brief glimpse of an admin panel chock-full of personal data from fellow tub owners that were using the app. These included Jacuzzi customers like himself, but also from folks with other smart tubs under the Jacuzzi brand, like Sundance Spa, D1 Spas and ThermoSpas.
According to Zveare, it was a real “blink and you’d miss it” moment. “I had to use a screen recorder to capture it,” he wrote.
Being a security-conscious user, Zveare’s first response was to try and bust the site wide open† And he did (with what seems like relative ease) by using a tool called fiddler to tweak his web traffic, and convince the TubSite that he was, in fact, an admin. And because smart tech is, again, often rather porous, this ploy worked: Zveare got access to the entire admin panel, which included the names and email addresses from Tub owners around the world.
“Once into the admin panel, the amount of data I was allowed to was staggering. I could view the details of every spa, see its owner and even remove their ownership,” he wrote. “It would be trivial to create a script to download all user information. It’s possible it’s already be done.”
We’ve reached out to Jacuzzi for comment. Zveare did as well—repeatedly, according to his blog: first when he discovered the flaws in December of last year, then again in January, then again throughout the year. Jacuzzi, in response, alternated between acknowledging the emails (but taking no further action), and outright ignoring them, according to Zveare’s retelling. Eventually, he looped in a security rep from a company called Auth0, which was responsible for the login systems Jacuzzi was using. That company was able to convince Jacuzzi shut down one vulnerable panel, but further stonewalling on Jacuzzis part left a second panel exposed, Zveare wrote.
In the end though, Zveare decided to “check [that panel] randomly” in preparation for writing up this entire spiel on his blog. And in the end, it looks like Jacuzzi did clamp down on the remaining panel, just without telling the person who discovered it.
Will Jacuzzi ever own up to this data debacle? From its track record thus far, we wouldn’t guess so. That said, the Jacuzzi brand is based out of California, and that state does have laws governing security standards for IoT devices as well as laws mandating that state residents be notified when their personal information’s been breached.