Not Even Your ‘Smart’ Jacuzzi Is Safe From The Internet Of Broken Things
from the dumb-is-the-new-smart dept
The Internet of things — aka the tendency to bring Internet connectivity to devices whether they need them or not — has provided no shortage of both tragedy and comedy. “Smart” locks that are easy to bypass, “smart” fridges that leak your email credentials, or even “smart” barbies that spy on toddlers are all pretty much par for the course in an industry with lax privacy and security standards.
Even your traditional hot tub isn’t immune from the stupidity. Hot tub vendor SmartTub thought it might be nice to control your hot tub from your phone (because walking to the tub and quickly turning a dial is clearly too much to ask).
But like so many IOT vendors more interested in the marketing potential than the reality, they allegedly implemented it without including basic levels of security standards for their website administration panel, allowing hackers to access and control hot tubs, all over the planet. And not just SmartTub brands, but numerous brands from numerous manufacturers, everywhere:
Eaton used a program called Fiddler to intercept and modify some code that told the website they were an admin, not just a user. They were in, and could see a wealth of information about Jacuzzi owners from around the world. “Once into the admin panel, the amount of data I was allowed to was staggering. I could view the details of every spa, see its owner and even remove their ownership,” he said. “Please note that no operations were attempted that would actually change any data. Therefore, it’s unknown if any changes would actually save. I assumed they would, so I navigated carefully.”
Security researcher EatonWorks documented all of his findings here. Again, not everything needs to have Internet functionality, and often dumb tech is the smarter option. Especially not if you’re not willing to take the time and money needed to do it correctly.
Filed Under: hot tubs, internet of things, jacuzzi, privacy, security, smart tech
Companies: smarttub
Comments on “Not Even Your ‘Smart’ Jacuzzi Is Safe From The Internet Of Broken Things”
Great fun was had by all
I say, turn it up to boil!
Idea Pitch.
Tired of poo on your hands? Have an important meeting in thirty seconds that’ll decide your life’s trajectory but you’re stuck on your porcelain throne and the nearest don’t of toilet paper is gone? Do you not have hands? Introducing the World’s first SmartAss-Wiper!
Relive the days of Henry the VIII and have your own royal cleaner. Connected via Bluetooth and powered by the sun, the SmartAss-Wiper can clean that deep crevice with the command of your smartphone, guaranteed! It can fit in your pocket and clean your ass quickly, effectively, and satisfyingly! Get a SmartAss-Wiper now for $10,000, with an annual fee of 2,000 per month! Call 555-5555-5556 or order now on http://www.Smartasswipers.com and you’ll never get your hands dirty ever again!
This is why I’ve never bothered with things like Internet toasters and coffee machines. In many cases, the so-called ‘dumb’ equivalent is smarter. Besides, what the fuck would I do with a digital bathtub that can’t be done in a standard one?
Re:
some people have some… unique fetishes.
Re: Re:
Duuuuude! LOL.
Re: Re: Re:
What? Changing the power of the jet output to different pressures throughout the experience to reach to reach the perfect oooohhhhh!
“If you build it they will…” er never mind.
Re: Re: Re:2
Changing the power of the jet output to different pressures throughout the experience to reach to reach the perfect oooohhhhh!
You don’t need your phone to do that.
IOT is a shitshow, example #974985739857
And yet people keep paying money for these things.
Humans, unable to learn.
“Smart” locks that are easy to bypass
To be fair, most locks are already easy to bypass regardless of how smart or dumb they are. Basic raking attacks can bypass almost all common locks with minimal tools and almost no skill.
Re: ooh, ooh!
I’m a super cool hacker too! I know locks are crap!!!
The idea of IoT isn’t itself dumb, but holy crap are there a lot of really dumb implementations. If it’s strictly cloud controlled with no LAN based control, it’s garbage; if the cloud service is leaky insecure trash, it’s worse than garbage.
I <3 my smart bulbs. I can control them from anywhere in the house with my phone. I can control them from anywhere else with my VPN connection… and I have them all firewalled from the internet because I can’t trust that the manufacturer isn’t an idiot when it comes to security.
If you read the referenced article it isn’t even IoT that is the real problem here. It was a badly written webpage with the admin page being accessible with literally no server side authentication. The IoT piece is just due to the ability to control the devices from the said admin page but the real concern was the personal information for all the customers that was available. That would have been a problem for an IoT, commerce, or even a simple forum site with the same lack of security.
Re:
When an IOT device relies on a server, the security of that server decides whether or not the device is secure, as a compromised server means all devices controlled through it are also compromised.
The IoT is a terrible idea. Mainly because no maker sees any ‘profit’ in providing security. They see it as wasted money that could have been profit. To them there is no return in value to spend the money on security. It results in just such as this article is about.
Worse yet, being digital and requiring connection to the internet is not a good thing. You’d think the convince would be a great selling point.
The problem comes down the line, even without being concerned with security. At some point the returns for this or that model reach a point it no longer pays server costs. So they then consider shutting down the server, making whatever requires connection to function, no longer work. There are tons of examples of this. Remember Rio and Microsoft being in the music business? Remember Google buying the Nest thermometer brand? All went belly up when the servers were shut down. Google changed the requirements of the brand requiring you to buy a new thermometer.
Face it connection to the net is not a good thing. Phillips had a lighting system. When they figured out they were loosing money to third party replacement bulbs, they put in DRM to saddle their customers with higher prices, done of course through the internet.
I buy something I want it to do it’s job until it’s worn out. I don’t the maker to decide they aren’t making enough money and shut it down long before it’s life is finished.
I mean, I get it but…
The premise here o assume is coming home from an evil day at work. 10 minutes away your smart tub turns on and fills to the perfect temperature.
You pull into your self-sensing garage and walk out of your car, which shuts off since your not in it.
You slowly strip leaving a trail of clothing for your home-bot to pick up, sort, and launder for you in your connected AIO washer dryer. And slip into a nice warm bath.
I get it.
But Until we get a few billion micro-satellites in a geo-synchronised ring and have direct beam per-person private mobile lan… not really all that smart.
This was in an episode of 911
I remember seeing an episode of 911 where the scorned wife uses her phone app to play with the temperature of the shower to freeze and burn her husband.
So, sure, an app-controlled device will never be abused.
I don't have a hot tub, but
At the risk of exposing myself to IOT haranguing; Wouldn’t a remote operated hot tub be very useful and potentially save lots of energy and money? Karl mentions walking to the tub and turning a dial, but it can take hours for a hot tub to reach 100 degrees depending on how high you leave it when not in use. The internets say keeping your spa 1 degree can lower your energy bill by up 10-15%. Enabling people to remotely pre-heat their systems seems like a pretty reasonable goal, though obviously should have been done in a more thorough manner.
Re:
Okay, I just spent a couple hot minutes on the Jacuzzi Smart Tub web page. It uses a cell tower connection to send diagnostics and alerts to the dealer and requires a subscription.
[performs casino dealer ‘clearing the hands’ motion]
Nope, I’m out; nevermind.
Re:
It is a good idea…
It is sad that the execution of the idea is ALWAYS shitty…
People keep demanding more and more things be connected to the net quicker sooner faster because they believe that all of those other horror stories will never happen to them…
The person who will end up very rich and well loved is the person who develops a secure IOT backend thats been tested, vetted, and can handle whatever device you want to connect to it. Right now all they do is slap in the cheapest parts they can get & get someone on Fiver to write them a code blob to make it go and spin it up on some engineers server at home to service all the customers.
Also in my mind, people who have jacuzzis aren’t the type that care about how much the bill is as long as their status symbol is ready to go.