June 30, 2022 in News by RBN Staff

source:  blacklistednews


Published: June 29, 2022


The Internet of things — aka the tendency to bring Internet connectivity to devices whether they need them or not — has provided no shortage of both tragedy and comedy. “Smart” locks that are easy to bypass, “smart” fridges that leak your email credentials, or even “smart” barbies that spy on toddlers are all pretty much par for the course in an industry with lax privacy and security standards.

Even your traditional hot tub isn’t immune from the stupidity. Hot tub vendor SmartTub thought it might be nice to control your hot tub from your phone (because walking to the tub and quickly turning a dial is clearly too much to ask).

But like so many IOT vendors more interested in the marketing potential than the reality, they allegedly implemented it without including basic levels of security standards for their website administration panel, allowing hackers to access and control hot tubs, all over the planet. And not just SmartTub brands, but numerous brands from numerous manufacturers, everywhere:

Eaton used a program called Fiddler to intercept and modify some code that told the website they were an admin, not just a user. They were in, and could see a wealth of information about Jacuzzi owners from around the world. “Once into the admin panel, the amount of data I was allowed to was staggering. I could view the details of every spa, see its owner and even remove their ownership,” he said. “Please note that no operations were attempted that would actually change any data. Therefore, it’s unknown if any changes would actually save. I assumed they would, so I navigated carefully.”

Security researcher EatonWorks documented all of his findings here. Again, not everything needs to have Internet functionality, and often dumb tech is the smarter option. Especially not if you’re not willing to take the time and money needed to do it correctly.