For decades hot tubs were simple water-bearing garden luxuries that owners looked forward to relaxing in of an evening.
More recently, manufacturers started adding exciting Internet of Things (IoT) features that product marketing departments worked themselves into a lather promoting as the next must-have.
These IoT-enabled hot tubs look identical to the old ones except that owners can now remotely adjust things such as water temperature using a smartphone app.
No prizes for guessing what’s coming next – according to UK security outfit Pen Test Partners, it looks as if at least one hot tub maker left robust security off the to-do list.
In a video filmed from a hot tub, founder Ken Munro explains how his company was tipped off to look more closely at the authentication design of the app used to control hot tubs or spas made by Balboa Water Group (BWG).
What they found reads like a useful definition of how not to do IoT security.
The app communicates directly with a Wi-Fi interface on the company’s hot tubs, or over the internet using an API. The access point (AP) built into the tub…
…is open, no PSK [pre-shared key], so anyone can stand near your house, connect their smart phone to your hot tub and control it. Your friendly neighbourhood hacker could control your tub.
And that’s not all – the API has no authentication but connects to a cloud service called iDigi, which uses a static password. Reaching out to a specific tub requires an ID, and that turns out to be… a padded version of the Wi-Fi access point’s MAC address!
Sniffing out Wi-Fi networks is easy and popular – so easy and so popular that giant databases and maps of the globe with MAC addresses plotted on them are just a click away. And, as anyone who’s used Google’s Location Services will know, Wi-Fi networks can be used for geo-location very effectively too.
Would you mind if anyone could locate your hot tub on a map? Perhaps not, but most users would mind some of the other security problems revealed by this app.
At this point, the researchers decided to coin a special name for this kind of device – the “hackuzzi” (in honour of the US brand Jacuzzi, which is unaffected by this vulnerability).
In hot water
Now for the pièce de résistance – fiddling with the water temperature.
According to the researchers, this might not be dangerous per se but would allow a hacker to cause the tub to consume excessive electricity or to make it unusably cold. It’s also possible to control the blowers or water spouts:
Blowers are also only turned on when someone is in the tub, so the hacker can figure out if you’re in the tub at the time. Creepy.
There is a serious side to this finding beyond the woeful IoT security of a product used to control an estimated 26,000 hot tubs. When Pen Test Partners contacted Balboa it received no response until the BBC contacted them in advance of a TV feature on the story.
Pen Test Partners claimed that that BWG asked for the Christmas broadcast to be delayed to allow for the holidays.
Said Pen Test Partners:
It’s yet another example of an IoT disclosure train wreck.
Until an app and/or API is updated, their advice for owners is not to use the remote control function and, if really worried, to physically remove the Wi-Fi module enabling it.
Hopefully, Balboa will offer an update soon. However, given that the most recent update for the Android version (v2.2.7) was in July 2013 it’s probably best to assume this might not be imminent.
Kurt S
Hot Tub IoT? WTF????? How stupid do the manufactures think their customers are? Oh, wait, that is way too rhetorical isn’t it. After all there are IoT equipped dildos on the market. Sheesh.
Who Am I?
I apologize in advance. It sounds like they are in hot water…unless hackers turn off the hot tub.
Anon
IoT is the next social media. Lots of hype, very little practical value, huge drain on resources (time/emotional health for social media users, Internet bandwidth for all due to DDos with IoT devices), and mostly only serves to cause problems and privacy breaches. Why do people use these things again?
David
What always gets me about these issues is not that some business weasel thinks they can profit from this nonsense, it’s that the consumers keep racing to it. Control your hot tub from your phone, WHY? so you can set the temperature from 1200 miles away??? What’s wrong with just adjusting that knob on the control panel NEXT TO the TUB? Same for “Smart” thermostats. Can you imagine a very occasional scenario where you’re flying back into town & would like the house nice and toasty when you arrive? Perhaps. But given the expense of these devices relative to the conventional ones, and factoring in the significant risks, regarding security and otherwise, clearly the negatives exceed the positives. I’ve gotten to the point where I look askance at ANYTHING bearing the word “SMART.” Never ceases to amaze me what the average consumer falls for.
Tim Clark
Having Internet access to control your hot tub is quite sensible and once you have it is invaluable. You want a nice soak when you get home so you turn on your hot tub remotely when you leave work and it is ready for you when you arrive home. That is a wonderful feature.
dakinbear
I use my sauna more with IoT than I ever did before. That may be pure laziness, but having to walk outside to turn it on was enough added inconvenience that I didn’t use it much. Since getting IoT enabled, I use it every day. If that’s representative of any statistical portion of the population, that’s good news for the sauna and spa makers who want people to not just buy, but actually use, their products. I now start the sauna while reading to my kids, knowing it will be ready when I am done and they pretend to go to sleep. I can imagine plenty people do the same from their cars while driving home.