Security flaws in internet-connected hot tubs exposed owners' personal data – TechCrunch

Security flaws in internet-connected hot tubs exposed owners’ personal data – TechCrunch

A security researcher discovered vulnerabilities in Jacuzzi’s SmartTub interface that allowed access to each spa owner’s personal data.

Jacuzzi’s SmartTub feature, like most Internet of Things (IoT) systems, allows users to remotely connect to their spa through an associated Android or iPhone app. Marketed as a “personal spa assistant,” users can use the app to control water temperature, turn jets on and off, and change lights.

But as hacker Eaton Zveare has documented, this feature could also be misused by malicious actors to gain access to the personal information of spa owners around the world, including their names and email addresses. It’s unknown how many users are potentially affected, but the SmartTub app has been downloaded over 10,000 times on Google Play.

Eaton first noticed a problem when it tried to login using the SmartTub web interface, which uses the third-party identity provider Auth0, and found that the login page returned a “no permitted”. But for a brief moment, Zveare saw the full admin panel full of user data flashing across his screen.

“Blink and you would miss it. I had to use a screen recorder to capture it,” Zveare said. “I was surprised to find that it was an admin panel full of user data. Looking at the data, there is information for multiple brands, not just US.” These brands include others under various Jacuzzi brands, including Sundance Spa, D1 Spas and ThermoSpas.

Eaton then attempted to circumvent the restrictions and gain full access. He used a tool called Fiddler to intercept and modify code telling the website that he was an administrator rather than an ordinary user. The bypass was successful, allowing Zveare full access to the admin panel.

“Once in the admin panel, the amount of data I was allowed to was staggering. I could view each spa’s details, view its owner, and even delete its ownership,” he said. It would be trivial to create a script to download all user information, it is possible that this has already been done.”

Things got worse when Zveare discovered a second admin panel while reviewing the Android app’s source code, allowing him to view and edit product serial numbers, view a list of resellers of licensed spas and view manufacturing logs.

Zveare reached out to Jacuzzi to alert them to the vulnerabilities, beginning with an initial notification just hours after discovering the flaws on December 3. Zveare received a response asking for more details three days later. But after a month of no further communication, Zveare requested help from Auth0, which shut down SmartTub’s vulnerable admin panel. The second admin panel was finally patched on June 4, despite there being no formal acknowledgment from Jacuzzi that they fixed the issues.

“After several attempts to contact via three different Jacuzzi/SmartTub email addresses and Twitter, a dialogue was not established until Auth0 intervened,” Zveare said. “Even then, communication with Jacuzzi/SmartTub eventually disappeared completely, with no formal conclusion or acknowledgment, they resolved all reported issues.”

As noted by Zveare, Jacuzzi is incorporated in California, which has data breach notification and Internet of Things security laws. The latter requires manufacturers of connected devices to include “reasonable security functionality[s]” in all such devices sold or offered for sale in California, in particular devices capable of connecting directly or indirectly to the Internet.

TechCrunch contacted Jacuzzi for comment, but the company did not respond.

Leave a Comment

Your email address will not be published.