IoT weaknesses leave hot tub owners in deep water
For decades hot tubs were simple water-bearing garden luxuries that owners looked forward to relaxing in of an evening.
More recently, manufacturers started adding exciting Internet of Things (IoT) features that product marketing departments worked themselves into a lather promoting as the next must-have.
These IoT-enabled hot tubs look identical to the old ones except that owners can now remotely adjust things such as water temperature using a smartphone app.
No prizes for guessing what’s coming next – according to UK security outfit Pen Test Partners, it looks as if at least one hot tub maker left robust security off the to-do list.
In a video filmed from a hot tub, founder Ken Munro explains how his company was tipped off to look more closely at the authentication design of the app used to control hot tubs or spas made by Balboa Water Group (BWG).
What they found reads like a useful definition of how not to do IoT security.
The app communicates directly with a Wi-Fi interface on the company’s hot tubs, or over the internet using an API. The access point (AP) built into the tub…
…is open, no PSK [pre-shared key], so anyone can stand near your house, connect their smart phone to your hot tub and control it. Your friendly neighbourhood hacker could control your tub.
And that’s not all – the API has no authentication but connects to a cloud service called iDigi, which uses a static password. Reaching out to a specific tub requires an ID, and that turns out to be… a padded version of the Wi-Fi access point’s MAC address!
Sniffing out Wi-Fi networks is easy and popular – so easy and so popular that giant databases and maps of the globe with MAC addresses plotted on them are just a click away. And, as anyone who’s used Google’s Location Services will know, Wi-Fi networks can be used for geo-location very effectively too.
Would you mind if anyone could locate your hot tub on a map? Perhaps not, but most users would mind some of the other security problems revealed by this app.
At this point, the researchers decided to coin a special name for this kind of device – the “hackuzzi” (in honour of the US brand Jacuzzi, which is unaffected by this vulnerability).