Security Flaws in Internet-Connected Hot Tubs Exposed Owners' Personal Data

A security researcher found vulnerabilities in Jacuzzi's SmartTub interface that allowed access to the personal data of every hot tub owner. From a report: Jacuzzi's SmartTub feature, like most Internet of Things (IoT) systems, lets users connect to their hot tub remotely via a companion Android or iPhone app. Marketed as a 'personal hot tub assistant,' users can make use of the app to control water temperature, switch on and off jets, and change the lights. But as documented by hacker Eaton Zveare, this functionality could also be abused by threat actors to access the personal information of hot tub owners worldwide, including their names and email addresses. It's unclear how many users are potentially impacted, but the SmartTub app has been downloaded more than 10,000 times on Google Play.

'The main concern is their name and email being leaked,' Zveare told TechCrunch, adding that attackers could also potentially heat up someone else's hot tub or change the filtration cycles. 'That would make things unpleasant the next time the person checked their tub,' he said. 'But I don't think there is anything truly dangerous that could have been done -- you have to do all chemicals by hand.' Eaton first noticed a problem when he tried to log in using the SmartTub web interface, which uses third-party identity provider Auth0, and found that the login page returned an 'unauthorized' error. But for the briefest moment Zveare saw the full admin panel populated with user data flash on his screen.

Read more of this story at Slashdot.