Just when you thought it was safe to go back in the water (closet)!


So many vulnerabilities are just Sturm und Drang, often with a fair bit of hyperbole and fin de si├Ęcle pretension stirred in.

From Windows kernel bugs that will surely stop the world (though they haven’t yet); through blogging platform holes that give the bad guys temporary residency on your server; to a code verification bypass that lets crooks “borrow” both your goodwill and your digital signature to legitimise their dodgy Android apps, and then another one

You’d be forgiven for wondering if there are ever any exploitable vulnerabilities that aren’t doomy-and-gloomy, and at which you are allowed an uncomplicated chuckle.

I am pleased to tell you that the chaps at Trustwave have found one!

Just when you thought it was safe to go back in the water closet, along comes TWSL2013-020.

It’s no less than a Vulnerability in The LIXIL Satis Toilet!

Let’s be serious for a moment.

This is a regrettable vulnerability from which we can all learn:

  1. An Android app to control the toilet reveals a hard-wired Bluetooth pairing PIN.
  2. The default PIN (not that it really matters once you know it) is 0000.

We’ve said it before, and we shall probably have to say it again: DON’T HAVE HARD-WIRED PASSWORDS.

A default password – one that you can change, but often forget to – is an implicit backdoor.

If you must have a setup-time password that has a known-to-the-public value, allow it only at initial login and for the purpose of setting a proper password.

For example, don’t let your router go on-line until the default password has been changed; don’t let your mobile phone app post messages; and don’t let people logon to the loo.

And a hard-wired password – one that you can’t change, even if you want to – is an explicit backdoor.

Of course, a four-digit PIN is woefully inadequate unless you have some kind of lock-out after a few failures. (Consider my recent BREACH article, in which I was able to recover a strongly-encrypted eight-digit identifier with just 10,000 HTTP probes).

Anyway, 0000 is a pretty bad choice even with an aggressive lock-out such as the three-strikes-and-you’re-done approach taken by ATMs (cash machines).

But let’s get back to the toilet!

As you’ve probably guessed, especially if you have ever visited that part of the world, this is a Japanese product.

→ In a Western hotel in Japan, your first consultation with the khazi can be confronting. There it is, American style, giantly brimming with water just below your personal plumbing, bristling with more controls than the Starship Bistromath, and plugged straight into an electrical socket. The locals’ protestations that “mains is only 100V in Japan” is not the sort of consolation that inspires confidence.

And the LIXIL Satis (Latin for “up to the job”) is a premium potty product.

As you have probably gathered, it can be controlled wirelessly via Bluetooth, thanks to an Android app called My Satis.

(I’m really struggling to keep serious about security here, but the screenshot to the right really is from the app.

You can learn more, probably more than you need, and certainly much more than you really want to know, about being “up to the job” at the Google Play Store.)

Fortunately, the researchers at Trustwave didn’t allow themselves to be sidetracked into toilet humour.

They kept a sense of propriety, drily reminding us that:

An attacker could simply download the "My Satis" application and use it to cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner. Attackers could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user.

I’ll leave you with the following mitigations:

  • Satis users are advised to check their water bowls (sorry!) bills carefully for signs of unauthorised transactions.
  • Friends are advised not to borrow Satis users’ phones, on account of the circumstances under which their screens may have been swiped.

By all means, have a chuckle.

But see the serious side, and repeat after me: DON’T PUT HARD-WIRED PASSWORDS IN YOUR CODE.