A security researcher found vulnerabilities in the Jacuzzi’s SmartTub interface that allows access to every hot tub owner’s personal data.
The Jacuzzi’s SmartTub feature, like most Internet of Things (IoT) systems, lets users connect to their hot tub remotely via a companion Android or iPhone app. Marketed as a “personal hot tub assistant,” users can use the app to control water temperature, turn jets on and off, and change lights.
But as documented by hacker Eaton Jevere, this functionality can also be misused by threat actors to access personal information of hot tub owners around the world, including their names and email addresses. It’s not clear how many users were potentially affected, but the SmartTub app has been downloaded more than 10,000 times on Google Play.
Eaton first noticed a problem when he tried to log in using the SmartTub web interface, which uses third-party identity provider Auth0, and found that the login page returned an “Unauthorized” error. But for the shortest time Xaver saw the full admin panel with user data flash on his screen.
“Blink and you’ll miss it. I had to use a screen recorder to capture it,” said Jeveré. “I was surprised to find that it was an admin panel full of user data. Looking at the data, there is information for several brands, not just from the US” for various Jacuzzi brands including Sundance Spas, D1 Spas and ThermoSpas. Others are included under.
Eaton then attempted to bypass the restrictions and gain full access. He used a tool called Fiddler to intercept and modify some of the code, which told the website that he was an administrator rather than a normal user. The bypass was successful, allowing Xaver to fully access the admin panel.
“Once in the admin panel, the amount of data I was allowed to [access] It was astonishing. I could see the details of every spa, see its owner and even remove their ownership,” he said. “It would be trivial to create a script to download all the user information. It is possible that this has already been done.”
Things got worse when Xaver discovered a second admin panel reviewing the Android app’s source code allowed them to view and modify products’ serial numbers, view a list of licensed hot tub dealers, and view manufacturing logs. got permission.
Zveare contacted Jacuzzi to alert them to the vulnerabilities, beginning with an initial notification just hours after the flaw was discovered on December 3. Zveare received a response asking for more details three days later. But after a month of no further communication, Zveare enlisted the help of Auth0, which shut down the vulnerable SmartTub admin panel. The second admin panel was finally fixed on 4 June, despite no formal acknowledgment from Jacuzzi that they had addressed the issues.
“After three different Jacuzzi/SmartTub email addresses and multiple contact attempts via Twitter, a dialogue was not established until Auth0 was stepped in,” Zvere said. “Nevertheless, communication with Jacuzzi/SmartTub eventually ceased entirely, without any formal conclusion or acknowledgment that they have addressed all reported issues.”
As Jvere noted, Jacuzzis are covered in California, which has data breach notification and Internet of Things security laws. The latter requires manufacturers of connected devices to include a “reasonable security feature”.[s]“All such equipment sold or offered for sale in California, in particular equipment capable of connecting directly or indirectly to the Internet.
Meczyki.Net contacted Jacuzzi for comment, but the company did not respond.