![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
- Joined
- Mar 3, 2018
- Messages
- 1,713
Some hot tubs have apps that allow users to control the tubs remotely. But security researchers from Pen Test Partners found a small security flaw in one of those implementations... apparently, there is no security. A wifi access point on the tub can be configured to act as a client accessible from the web, and the researchers were able to remotely obtain the MAC addresses of victim's hot tubs with some simple API calls. With very little effort, the researchers were able to identify about 30,000 hot tubs exposed on the web, and manipulate their temperatures or turn blowers and pumps on and off. Thanks to the BBC for reporting the security flaw.
Check out a video of the hot tub hack here.
Consumer IoT security is not in a good place. These findings underline that. Worse, the iDigi service is also used to control smart healthcare appliances. Who is to say if those were correctly secured? We emailed Balboa Water Group on 28th November, explaining the flaw and asking for an acknowledgement so that we could start responsible disclosure. We had no reply. We tried again on 30th November, asking for an acknowledgement by 10pm GMT on Friday 3rd December. Again we had no reply. We then asked the BBC if they could use their influence to elicit a response. They kindly obliged and, as if by magic, we had a response from BWG within an hour of the BBC emailing them. BWG explained to the BBC that they had not implemented user accounts for “ease of use”, and that the static password was also a conscious choice!BWG also asked for the broadcast to be delayed, for no other reason than they didn’t want to take down the API over the holiday season. Hardly compelling. They only took action when their brand was at stake, not their customer’s privacy or security, yet were happy to expose users in the meantime…
Check out a video of the hot tub hack here.
Consumer IoT security is not in a good place. These findings underline that. Worse, the iDigi service is also used to control smart healthcare appliances. Who is to say if those were correctly secured? We emailed Balboa Water Group on 28th November, explaining the flaw and asking for an acknowledgement so that we could start responsible disclosure. We had no reply. We tried again on 30th November, asking for an acknowledgement by 10pm GMT on Friday 3rd December. Again we had no reply. We then asked the BBC if they could use their influence to elicit a response. They kindly obliged and, as if by magic, we had a response from BWG within an hour of the BBC emailing them. BWG explained to the BBC that they had not implemented user accounts for “ease of use”, and that the static password was also a conscious choice!BWG also asked for the broadcast to be delayed, for no other reason than they didn’t want to take down the API over the holiday season. Hardly compelling. They only took action when their brand was at stake, not their customer’s privacy or security, yet were happy to expose users in the meantime…
![[Spectre]](https://cdn.hardforum.com/data/avatars/m/89/89728.jpg?1455675927){kind=avatar}
