Revealed: Thousands of hot tubs can be HACKED

December 26, 2018

Revealed: Thousands of hot tubs can be HACKED and controlled remotely by smartphone or laptop because of a hole in their online security

Hot tubs controlled by an app with no password can be controlled remotely
Criminals could even guess whether a homeowner is in their house or in their tub by watching whether the jets have been activated
Firm behind flawed security system has promised a fix within two months

A security flaw in ‘smart’ hot tubs could leave thousands of owners vulnerable to having the temperature of their relaxing soak controlled by unknown hackers.

Homeowners could even be at increased of a break-in, as criminals watching how the hot tub is being used or whether the jets have been activated could second-guess whether the owner is inside their home or out in their jacuzzi.

Researchers showed BBC Click how an attacker could make some tubs, controlled by an unsecured smartphone app, hotter or colder, and view and control the pumps and lights via a laptop or smartphone.

The tubs, built by Balboa Water Group (BWG), can be controlled remotely with an app which requires no password, but third-party wi-fi databases mean hackers can home in on specific tubs by using their GPS location data.

Hot tubs controlled by a non-password-secured smartphone app can be hacked remotely (stock photo)

BWG has now pledged to introduce a more robust security system for owners and said the problem would be fixed by the end of February.

Pen Test Partners – the UK security company that carried out the research – warned hot tubs were not the only household items at risk.

Founder Ken Munro said many of the gifts people might have received yesterday on Christmas Day would connect to the internet and offer remote control through apps which were insufficiently secure.

‘Manufacturers still are not taking security seriously enough, and until they do consumers have to be very vigilant,’ he said.

‘We recommend users reset any default passwords the device has immediately with a unique one of their own.’

Researchers found information found on public resources, known as ‘wardriving databases’, could be used to hijack the hot tubs without the need for any other kind of authentication.

But BWG said its app had been available for five years during which users had not reported any problems, adding it was ‘surprised’ to learn of the flaw. It said it was working with more than 1,000 owners in the UK and globally to set up a system of individual usernames and passwords to secure the online controls.

Cyber security expert Ken Munro said the hot tub flaw was not the most serious internet-of-things vulnerability in the world, but still worth bringing to the public’s attention (stock photo)

It had previously opted not to do so because it had wanted to ‘allow for simple and easy use and activation’ by homeowners, the company said

Mr Munro said this had been ‘irresponsible’, adding: ‘It takes away consumer choice and it takes away users’ right to privacy and security’.

He acknowledged that it was not the most serious internet-of-things (IoT) vulnerability in the world, but said it was still worth bringing to the public’s attention.

‘Blowers are only turned on when someone is in the tub, so a hacker could figure out if you’re in the tub at the time, which is creepy,’ he explained.

‘Consumer IoT security is not in a good place. These findings underline that.’

Source: Read Full Article