On June 20, a security researcher at EatonWorks discovered a vulnerability in the software of the smart jacuzzi company Jacuzzi Brands LLC. Smart jacuzzis can connect to the internet and contain the function «SmartTub», allowing users to remotely connect to the spa.
Using SmartTub and the Android and iOS apps, the user can control the light, the jet and the filtration system, as well as set the water temperature and even send diagnostic data to the manufacturer. The service also integrates with Alexa, Google Assistant, Google Wear OS and Apple Watch.
Security problems occurred when trying to log in to SmartTub using a password manager. At that moment, the specialist was redirected to a website where it was indicated that the user was not logged in. Eaton bypassed the restrictions and gained access to the site using the Fiddler program.
The site had an admin panel filled with user data. “I could view the details of each jacuzzi, see and even delete information about the owner of the spa”, — the researcher explained.
The specialist informed Jacuzzi Brands LLC about the problem in December 2021, and on June 4, 2022, the company completely corrected the error. “This is a standard IoT hack, and we can expect hundreds of thousands of such attacks in the next decade.”– said Roger Grimes, IT evangelist of the educational information technology company KnowBe4 Inc.