A security researcher discovered vulnerabilities in the SmartTub Jacuzzi interface that allowed access to the personal data of each hot tub owner.
Jacuzzi SmartTub function like most Internet of Things (IoT) allows users to remotely connect to their hot tub via a companion Android or iPhone app. The application is positioned as a “personal assistant in the hot tub.” Users can use the app to control water temperature, turn jets on and off, and change lighting.
But as documented by hacker Eaton Zveare, the feature can also be used by attackers to access personal information about hot tub owners around the world, including their names and email addresses. It’s unclear how many users are potentially affected, but the SmartTub app has been downloaded over 10,000 times on Google Play.
Eaton first noticed the problem when they tried to log in using the SmartTub web interface, which uses third party identity provider Auth0, and found that the login page returned an “unauthorized” error. But for the briefest moment, Zwear saw a full admin panel on his screen filled with user data.
“Blink and you’ll miss it. I had to use a screen recorder to capture it,” Zweare said. “I was surprised to find that it was an admin panel filled with user data. Looking at the data, you can see information about several brands, and not just from the US.” These brands include others under different hot tub brands including Sundance Spa, D1 Spas and ThermoSpas.
Eaton then tried to bypass the restrictions and gain full access. He used a tool called Fiddler to intercept and modify some code that told the website that he was an administrator and not a regular user. The bypass was successful, allowing Zveare to gain full access to the admin panel.
“Once I logged into the admin panel, I saw the staggering amount of data that I was allowed. I could view the details of each spa, see its owner, and even remove its ownership,” he said. “It would be trivial to create a script to load all user information. Perhaps it has already been done.”
The situation worsened when Zwear discovered a second admin panel while viewing the Android app’s source code, allowing him to view and change product serial numbers, view a list of licensed hot tub dealers, and view production logs.
Zweare contacted Jacuzzi to alert them to the vulnerabilities, starting with the initial notification just hours after the vulnerabilities were discovered on December 3rd. Zveare received a reply asking for more details in three days. But after a month without further communication, Zveare enlisted the help of Auth0, who shut down the vulnerable SmartTub admin panel. The second admin panel was eventually fixed on June 4 despite no official confirmation from Jacuzzi that they had resolved the issues.
“After several attempts to contact via three different Jacuzzi/SmartTub and Twitter email addresses, no dialogue was established until Auth0 intervened,” Zweare said. “Even then, communication with Jacuzzi/SmartTub ended up completely ceasing, with no official conclusion or confirmation that they had fixed all of the problems identified.”
As Zweare points out, Jacuzzi is a company registered in California, which data breach notification and IoT security laws. The latter requires manufacturers of connected devices to enable a “reasonable security feature”.[s]” on all such devices sold or offered for sale in California, especially those devices that may be directly or indirectly connected to the Internet.
TechCrunch has reached out to Jacuzzi for comment, but the company has not responded.
Credit: techcrunch.com /