A security researcher has discovered vulnerabilities in Jacuzzi’s SmartTub interface that allow access to the personal data of every hot tub owner. The SmartTub feature, which is part of the Internet of Things (IoT) system, lets users connect to their hot tub remotely via a companion Android or iPhone app.
What is SmartTub?
The SmartTub feature allows users to control various aspects of their hot tub from a remote location. This includes controlling water temperature, switching on and off jets, and changing the lights. The feature is marketed as a ‘personal hot tub assistant’ and is designed to make it easier for users to manage their hot tub.
Vulnerabilities in SmartTub
However, security researcher Eaton Zveare discovered that the SmartTub interface has several vulnerabilities that allow attackers to access personal data of hot tub owners. These vulnerabilities include:
- Unauthorized Access: Zveare was able to gain unauthorized access to the admin panel of the SmartTub web interface, which contains sensitive information about hot tub owners.
- Data Exposure: The admin panel also contained a list of licensed hot tub dealers and manufacturing logs, which could be used by attackers to compromise the security of the hot tub system.
How Zveare Discovered the Vulnerabilities
Zveare discovered the vulnerabilities while trying to log in to the SmartTub web interface using a third-party identity provider called Auth0. He noticed that the login page returned an ‘unauthorized’ error, but for a brief moment, he saw the full admin panel populated with user data flash on his screen.
Bypassing Restrictions
Zveare then used a tool called Fiddler to intercept and modify some code that told the website that he was an admin rather than an ordinary user. This allowed him to bypass the restrictions and obtain full access to the admin panel.
Accessing Sensitive Information
Once Zveare gained access to the admin panel, he was able to view sensitive information about every hot tub owner, including their names and email addresses. He also discovered a second admin panel while reviewing the source code of the Android app that allowed him to view and modify serial numbers of products.
Reporting the Vulnerabilities
Zveare contacted Jacuzzi to alert them to the vulnerabilities, but they did not receive a response for several weeks. He then enlisted the help of Auth0, which reached out to Jacuzzi and got it to shut down the vulnerable SmartTub admin panel.
Impact on Hot Tub Owners
The vulnerabilities discovered by Zveare have significant implications for hot tub owners who use the SmartTub feature. The exposure of personal data could put them at risk of identity theft or other malicious activities.
Recommendations for Jacuzzi
To prevent similar vulnerabilities in the future, Jacuzzi should take several steps:
- Conduct Regular Security Audits: Conduct regular security audits to identify and fix vulnerabilities before they can be exploited by attackers.
- Implement Strong Authentication: Implement strong authentication mechanisms to ensure that only authorized users can access the SmartTub interface.
- Provide Clear Instructions: Provide clear instructions on how to use the SmartTub feature securely, including information on how to change passwords and enable two-factor authentication.
Conclusion
The discovery of vulnerabilities in Jacuzzi’s SmartTub interface highlights the importance of robust security measures for IoT devices. By taking proactive steps to identify and fix vulnerabilities, Jacuzzi can prevent similar incidents from occurring in the future and protect the personal data of hot tub owners.
Related News
- Instabase raises $100M to help companies process unstructured document data: Instabase has raised $100 million to help companies process unstructured document data. The funding will be used to expand the company’s capabilities in AI-powered document processing.
- GM banned from sharing driving and location data with insurance companies: General Motors (GM) has been banned from sharing driving and location data with insurance companies. The ban is part of a settlement between GM and regulators over concerns about data protection.
- Nord Security founders launch Nexos.ai to help enterprises take AI projects from pilot to production: Nord Security’s founders have launched a new company called Nexos.ai, which aims to help enterprises take AI projects from pilot to production. The company will provide tools and services to help businesses scale up their AI initiatives.
Latest in Security
- Clop ransomware gang names dozens of victims hit by Cleo mass-hack, but several firms dispute breaches: The Clop ransomware gang has named dozens of companies that were affected by the Cleo mass-hack. However, some of these companies have disputed the claims and denied that they were breached.
- Governments call for spyware regulations in UN Security Council meeting: Governments from around the world have called for regulations on spyware at a recent United Nations Security Council meeting. The meeting was held to discuss concerns about the use of spyware by governments and companies.
- PowerSchool data breach victims say hackers stole ‘all’ historical student and teacher data: A group of PowerSchool data breach victims has spoken out about the impact of the incident. They claim that hackers stole all of their historical student and teacher data, including sensitive information such as grades and addresses.
Most Popular
- Apple brings Store app to Indian market: Apple has launched its Store app in India, which will allow users to purchase products directly from the company’s website.
- FAA had to divert flights because of SpaceX Starship explosion: The US Federal Aviation Administration (FAA) was forced to divert several flights due to an explosion at a SpaceX facility. The incident highlighted concerns about safety and regulation in the space industry.
- SpaceX catches Starship booster a second time, loses ship to an ‘anomaly’ in space: SpaceX has successfully caught its Starship booster for the second time, but lost the main ship due to an anomaly in space.
Latest Newsletters
- TechCrunch Daily News: Get the latest news from TechCrunch delivered directly to your inbox every weekday and Sunday.
- TechCrunch AI: Stay up-to-date with the latest developments in artificial intelligence and machine learning, including new research, products, and companies.
- TechCrunch Space: Explore the latest advances in aerospace and space exploration, including news from SpaceX, Blue Origin, and other leading space companies.
