Not Even Your ‘Smart’ Jacuzzi Is Safe From The Internet Of Broken Things

from the dumb-is-the-new-smart dept

The Internet of things — aka the tendency to bring Internet connectivity to devices whether they need them or not — has provided no shortage of both tragedy and comedy. “Smart” locks that are easy to bypass, “smart” fridges that leak your email credentials, or even “smart” barbies that spy on toddlers are all pretty much par for the course in an industry with lax privacy and security standards.

Even your traditional hot tub isn’t immune from the stupidity. Hot tub vendor SmartTub thought it might be nice to control your hot tub from your phone (because walking to the tub and quickly turning a dial is clearly too much to ask).

But like so many IOT vendors more interested in the marketing potential than the reality, they allegedly implemented it without including basic levels of security standards for their website administration panel, allowing hackers to access and control hot tubs, all over the planet. And not just SmartTub brands, but numerous brands from numerous manufacturers, everywhere:

Eaton used a program called Fiddler to intercept and modify some code that told the website they were an admin, not just a user. They were in, and could see a wealth of information about Jacuzzi owners from around the world. “Once into the admin panel, the amount of data I was allowed to was staggering. I could view the details of every spa, see its owner and even remove their ownership,” he said. “Please note that no operations were attempted that would actually change any data. Therefore, it’s unknown if any changes would actually save. I assumed they would, so I navigated carefully.”

Security researcher EatonWorks documented all of his findings here. Again, not everything needs to have Internet functionality, and often dumb tech is the smarter option. Especially not if you’re not willing to take the time and money needed to do it correctly.

Filed Under: , , , , ,
Companies: smarttub

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Not Even Your ‘Smart’ Jacuzzi Is Safe From The Internet Of Broken Things”

Subscribe: RSS Leave a comment
jojo_36 (profile) says:

Idea Pitch.

Tired of poo on your hands? Have an important meeting in thirty seconds that’ll decide your life’s trajectory but you’re stuck on your porcelain throne and the nearest don’t of toilet paper is gone? Do you not have hands? Introducing the World’s first SmartAss-Wiper!

Relive the days of Henry the VIII and have your own royal cleaner. Connected via Bluetooth and powered by the sun, the SmartAss-Wiper can clean that deep crevice with the command of your smartphone, guaranteed! It can fit in your pocket and clean your ass quickly, effectively, and satisfyingly! Get a SmartAss-Wiper now for $10,000, with an annual fee of 2,000 per month! Call 555-5555-5556 or order now on and you’ll never get your hands dirty ever again!

kitsune361 says:

The idea of IoT isn’t itself dumb, but holy crap are there a lot of really dumb implementations. If it’s strictly cloud controlled with no LAN based control, it’s garbage; if the cloud service is leaky insecure trash, it’s worse than garbage.

I <3 my smart bulbs. I can control them from anywhere in the house with my phone. I can control them from anywhere else with my VPN connection… and I have them all firewalled from the internet because I can’t trust that the manufacturer isn’t an idiot when it comes to security.

Anonymous Coward says:

If you read the referenced article it isn’t even IoT that is the real problem here. It was a badly written webpage with the admin page being accessible with literally no server side authentication. The IoT piece is just due to the ability to control the devices from the said admin page but the real concern was the personal information for all the customers that was available. That would have been a problem for an IoT, commerce, or even a simple forum site with the same lack of security.

Anonymous Coward says:

The IoT is a terrible idea. Mainly because no maker sees any ‘profit’ in providing security. They see it as wasted money that could have been profit. To them there is no return in value to spend the money on security. It results in just such as this article is about.

Worse yet, being digital and requiring connection to the internet is not a good thing. You’d think the convince would be a great selling point.

The problem comes down the line, even without being concerned with security. At some point the returns for this or that model reach a point it no longer pays server costs. So they then consider shutting down the server, making whatever requires connection to function, no longer work. There are tons of examples of this. Remember Rio and Microsoft being in the music business? Remember Google buying the Nest thermometer brand? All went belly up when the servers were shut down. Google changed the requirements of the brand requiring you to buy a new thermometer.

Face it connection to the net is not a good thing. Phillips had a lighting system. When they figured out they were loosing money to third party replacement bulbs, they put in DRM to saddle their customers with higher prices, done of course through the internet.

I buy something I want it to do it’s job until it’s worn out. I don’t the maker to decide they aren’t making enough money and shut it down long before it’s life is finished.

Lostinlodos (profile) says:

I mean, I get it but…

“because walking to the tub and quickly turning a dial is clearly too much to ask

The premise here o assume is coming home from an evil day at work. 10 minutes away your smart tub turns on and fills to the perfect temperature.
You pull into your self-sensing garage and walk out of your car, which shuts off since your not in it.
You slowly strip leaving a trail of clothing for your home-bot to pick up, sort, and launder for you in your connected AIO washer dryer. And slip into a nice warm bath.

I get it.
But Until we get a few billion micro-satellites in a geo-synchronised ring and have direct beam per-person private mobile lan… not really all that smart.

Jeremy Lyman (profile) says:

I don't have a hot tub, but

At the risk of exposing myself to IOT haranguing; Wouldn’t a remote operated hot tub be very useful and potentially save lots of energy and money? Karl mentions walking to the tub and turning a dial, but it can take hours for a hot tub to reach 100 degrees depending on how high you leave it when not in use. The internets say keeping your spa 1 degree can lower your energy bill by up 10-15%. Enabling people to remotely pre-heat their systems seems like a pretty reasonable goal, though obviously should have been done in a more thorough manner.

That Anonymous Coward (profile) says:


It is a good idea…
It is sad that the execution of the idea is ALWAYS shitty…

People keep demanding more and more things be connected to the net quicker sooner faster because they believe that all of those other horror stories will never happen to them…

The person who will end up very rich and well loved is the person who develops a secure IOT backend thats been tested, vetted, and can handle whatever device you want to connect to it. Right now all they do is slap in the cheapest parts they can get & get someone on Fiver to write them a code blob to make it go and spin it up on some engineers server at home to service all the customers.

Also in my mind, people who have jacuzzis aren’t the type that care about how much the bill is as long as their status symbol is ready to go.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...