Researchers Demonstrate Hot Tub Hack


Mar 3, 2018
Some hot tubs have apps that allow users to control the tubs remotely. But security researchers from Pen Test Partners found a small security flaw in one of those implementations... apparently, there is no security. A wifi access point on the tub can be configured to act as a client accessible from the web, and the researchers were able to remotely obtain the MAC addresses of victim's hot tubs with some simple API calls. With very little effort, the researchers were able to identify about 30,000 hot tubs exposed on the web, and manipulate their temperatures or turn blowers and pumps on and off. Thanks to the BBC for reporting the security flaw.

Check out a video of the hot tub hack here.

Consumer IoT security is not in a good place. These findings underline that. Worse, the iDigi service is also used to control smart healthcare appliances. Who is to say if those were correctly secured? We emailed Balboa Water Group on 28th November, explaining the flaw and asking for an acknowledgement so that we could start responsible disclosure. We had no reply. We tried again on 30th November, asking for an acknowledgement by 10pm GMT on Friday 3rd December. Again we had no reply. We then asked the BBC if they could use their influence to elicit a response. They kindly obliged and, as if by magic, we had a response from BWG within an hour of the BBC emailing them. BWG explained to the BBC that they had not implemented user accounts for “ease of use”, and that the static password was also a conscious choice!BWG also asked for the broadcast to be delayed, for no other reason than they didn’t want to take down the API over the holiday season. Hardly compelling. They only took action when their brand was at stake, not their customer’s privacy or security, yet were happy to expose users in the meantime…
This is probably about as important as if you can hack my WiFi enabled crock pot.
Damn, I was hoping they were able to turn them into a time machine.

More like a death machine probably. Reminds me of back in the days when there was a hard drive destroying virus which would mess with drive heads making them seek back and fourth and motor spin up and down which would supposedly cause damage or extremely premature failure. Back to the internet connected hot tub, WHAT THE FUCK! Why would anyone need this nonsense. I was recently in the market for a new water boiler (seems all the women like a long hot shower/tub and it takes little effort to run out of hot water with a 40gal tank; tankless boilers suck and barely get warm) and discovered that all higher capacity ones fall into higher end model series and all that shit comes with wifi which cannot be disabled. It is pure insanity with this IoT stuff getting showed into anything. Who the hell needs a smart wifi enabled water boiler? I mean for some devices it may have marginal use but this is absolutely nuts. Also know the fact there's little to no security makes this whole stuff so much worse. What even worse is that too many people don't know anything about this and get sucked into it. I however do my due effort to educate folks at a local Home Depot when I see someone looking at their demo units and such. IDK if they really do listen but at least I can give them my 2c.
It is pure insanity with this IoT stuff getting showed into anything. Who the hell needs a smart wifi enabled water boiler?

Completely agree. But this is what happens when marketing folks get to run companies where the CEO is just as clueless.

bigwig: "We need to innovate!!"
engineer: "It's a water boiler. And we already quick heat, insulate, earthquake proof, etc etc"
marketer: "Let's make them SMART water boilers!!"
bigwig: "OMG YES!!"
*marketer gets bonus* *engineer gets laid off* *cybersecurity scandal*
bigwig: "We are a water boiler company not a software company."
The IoT will stumble its way into the future - we may not understand it now, but it's coming, its existence is preordained. But if you needed remote access to your hot tub you aren't getting laid anyway.
WTF internet. or is it companies and their shitty internet products. Connected "things" have their place, but ffs, the hot tub, is not one of those places.
What next, bathtubs & toilets with WiFi??

So desu.