Hot tubs used to be a great way to relax. Of course, like everything else lately, designers decided you needed to be able to control your hot tub with your smartphone. I’m sure you can imagine how that’s going. In fact, it’s so bad that 26,000 hot tubs made by Balboa Water Group, or BWG, that have these features are being called “Hackuzzis.” [Note: The actual Jacuzzi brand does not have this vulnerability.]
How Exactly Can This Be Hacked?
Like many other things, there’s an app for running the hot tub. It communicates with a WiFi interface on the hot tub itself, or even via internet if you aren’t home. Here’s the kicker: The access point in the tub is wide open. No pre-shared key, nothing.
Sure, each tub has its own ID, but that “turns out to be…a padded version of the Wi-Fi access point’s MAC address!” A little work on wigle.net, and you can get that too.
Stripping away the tech speak, here’s what that breaks down to: Anyone can control your hot tub.
Ken Munro of Pen Test Partners explains while sitting in one of the hackable tubs:
Okay, Why Should I Care?
The average person might scoff at this. Who cares, right? It’s a hot tub. People have better things to hack. But let’s look at the “why” for a moment. If I hacked your hot tub, what could I accomplish?
- Temperature control. I can keep it too cold to use, or completely maxed out hot. Maybe you’re using your hot tub as a form of physical therapy. Have I now affected your physical health? Mobility? Effectiveness?
- Knowing your schedule and/or location; if the app says your hot tub jets are on, you’re probably in it. Is your guard up or down while you’re in your hot tub with your eyes closed?
- I can force it to use excessive electricity, turning on jets/spouts/waterfalls/pumps. Now I’m messing with your finances too by running your power bill through the roof. How many things does that affect?
Is it going to ruin your life if someone gets into your hot tub? No. Could it cause you financial loss and possibly physical injury? Absolutely. Could it be an absolute pain in your side that causes disruption? Yes.
What’s Being Done About It?
After penetration testers were tipped off about the problem, they did what they were supposed to: notify the manufacturer, Balboa Water Systems. The company asked Pen Test not to release the information publicly until after Christmas. Gotta make sure to get those holiday sales.
BWG told the BBC that it had been “surprised” to learn of the flaw as its app had been available for five years during which users had not reported any problems.
Sure they were surprised. I bet they were just blown away. /sarcasm
Balboa says it’ll release something to fix this by February and people shouldn’t use the app in the meantime.
Until an app and/or API is updated, their advice for owners is not to use the remote control function and, if really worried, to physically remove the Wi-Fi module enabling it.
Hopefully, Balboa will offer an update soon. However, given that the most recent update for the Android version (v2.2.7) was in July 2013 it’s probably best to assume this might not be imminent.
I Don’t Have a Hot Tub So…Again, Why Should I Care?
The Internet of Things, or IoT, is beyond staggering. Remember when people thought it was so great that you could find an app for everything from finances to medical symptoms, controlling lights and security cameras, etc? It’s actually not great. All the IoT devices do is link you into the massive surveillance network. If it can connect to the internet, it can be hacked — and in some cases, even computers NOT connected to the internet can be hacked (see the work on air-gapped machines).
Just because you don’t own a hot tub doesn’t mean you don’t own any devices that can connect to the internet of things. It’s seemingly impossible to buy new kitchen appliances without the technology. Washers and dryers, barbeque grills, bluetooth temp sensors for the food ON the grill; you name it, there’s a Wi-Fi/bluetooth enabled variety. Home security system Ring even had problems in 2016 because it was…you guessed it…hackable. Then there are the smartkey locks. Watches, light fixtures, the list goes on and on and on. There’s a certain irony in the idea that someone can get into your W-Fi enabled security system for your home and see what you see. If an adversary got into your Ring system, what could they determine? A lot.
The Internet of Things has been hailed as easy to hack. In fact, Israeli researchers found last year that most IoT devices can be hacked within 30 minutes and added to a botnet. What can they use the botnet for? All sorts of things.
“We investigated 16 different devices—baby monitors, doorbells, cameras, temperature sensors, [etc.] And out of these 16 devices, we were able to find the password for 14 of them. So, that’s a good percentage. What we did is we took these cameras apart in our lab and we looked for what is called a debug port. This is a connector, which developers and engineers use when they are building this camera to make sure it’s built properly. And because it’s very expensive to print out a new circuit board once you’re finished developing, all of these cameras actually had these debug ports still in the hardware. Once you connect to there, you have backstage access to the camera. Sometimes, there is a password you need to crack, so we had to do that.”
The big picture is even more concerning.
“Right now, devices you are buying today are very, very easy to attack and the problem is that once you attack it once, all of these devices can be attacked remotely. So you only need to do this one time—this process of taking them apart. And one problem, a big problem, with IoT devices when you compare them to computers and phones is that these devices are mostly going to be installed in some corner, in some alley, in some doorway, and not touched for 10 or 20 years. Think of street lights or traffic lights. And this means that you might be still using these devices after their manufacturer has gone out of business and nobody will ever issue firmware updates. You compare this to phones, where you find a vulnerability and the next week later, your phone restarts and voila, it’s patched. So, these devices are going to be here to stay and this means that probably consumers or network providers or something are going to be responsible for keeping these devices secure. This is very concerning based on what consumers have been able to demonstrate so far.”
And let’s not even get into Alexa.
For more information on the IoT threat, check out this article from Dark Reading.