Security flaws in internet-connected hot tubs exposed owners’ personal data


Jacuzzi’s SmartTub feature, like most Internet of Things (IoT) systems, lets users connect to their hot tub remotely via a companion Android or iPhone app. Marketed as a “personal hot tub assistant,” users can make use of the app to control water temperature, switch on and off jets, and change the lights.

But as documented by hacker Eaton Zveare, this functionality could also be abused by threat actors to access the personal information of hot tub owners worldwide, including their names and email addresses. It’s unclear how many users are potentially impacted, but the SmartTub app has been downloaded more than 10,000 times on Google Play.


Eaton first noticed a problem when he tried to log in using the SmartTub web interface, which uses third-party identity provider Auth0, and found that the login page returned an “unauthorized” error. But for the briefest moment Zveare saw the full admin panel populated with user data flash on his screen.

“Blink and you’d miss it. I had to use a screen recorder to capture it,” Zveare said. “I was surprised to discover it was an admin panel populated with user data. Glancing at the data, there is information for multiple brands, and not just from the U.S.” These brands include others under different Jacuzzi brands, including Sundance Spa, D1 Spas and ThermoSpas.

Eaton then tried to bypass the restrictions and obtain full access. He used a tool called Fiddler to intercept and modify some code that told the website that he was an admin rather than an ordinary user. The bypass was successful, enabling Zveare to access the admin panel in full.

“Once into the admin panel, the amount of data I was allowed to [access] was staggering. I could view the details of every spa, see its owner and even remove their ownership,” he said. “It would be trivial to create a script to download all user information. It’s possible it’s already been done.”

Things got worse when Zveare discovered a second admin panel while reviewing the source code of the Android app allowing him to view and modify the serial numbers of products, see a list of licensed hot tub dealers and view manufacturing logs.



Source: Security flaws in internet-connected hot tubs exposed owners’ personal data | TechCrunch

Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft