So many vulnerabilities are just Sturm und Drang, often with a fair bit of hyperbole and fin de siècle pretension stirred in.
From Windows kernel bugs that will surely stop the world (though they haven’t yet); through blogging platform holes that give the bad guys temporary residency on your server; to a code verification bypass that lets crooks “borrow” both your goodwill and your digital signature to legitimise their dodgy Android apps, and then another one…
You’d be forgiven for wondering if there are ever any exploitable vulnerabilities that aren’t doomy-and-gloomy, and at which you are allowed an uncomplicated chuckle.
I am pleased to tell you that the chaps at Trustwave have found one!
Just when you thought it was safe to go back in the water closet, along comes TWSL2013-020.
It’s no less than a Vulnerability in The LIXIL Satis Toilet!
Let’s be serious for a moment.
This is a regrettable vulnerability from which we can all learn:
- An Android app to control the toilet reveals a hard-wired Bluetooth pairing PIN.
- The default PIN (not that it really matters once you know it) is 0000.
We’ve said it before, and we shall probably have to say it again: DON’T HAVE HARD-WIRED PASSWORDS.
A default password – one that you can change, but often forget to – is an implicit backdoor.
If you must have a setup-time password that has a known-to-the-public value, allow it only at initial login and for the purpose of setting a proper password.
For example, don’t let your router go on-line until the default password has been changed; don’t let your mobile phone app post messages; and don’t let people logon to the loo.
And a hard-wired password – one that you can’t change, even if you want to – is an explicit backdoor.
Of course, a four-digit PIN is woefully inadequate unless you have some kind of lock-out after a few failures. (Consider my recent BREACH article, in which I was able to recover a strongly-encrypted eight-digit identifier with just 10,000 HTTP probes).
Anyway, 0000 is a pretty bad choice even with an aggressive lock-out such as the three-strikes-and-you’re-done approach taken by ATMs (cash machines).
But let’s get back to the toilet!
As you’ve probably guessed, especially if you have ever visited that part of the world, this is a Japanese product.
→ In a Western hotel in Japan, your first consultation with the khazi can be confronting. There it is, American style, giantly brimming with water just below your personal plumbing, bristling with more controls than the Starship Bistromath, and plugged straight into an electrical socket. The locals’ protestations that “mains is only 100V in Japan” is not the sort of consolation that inspires confidence.
And the LIXIL Satis (Latin for “up to the job”) is a premium potty product.
As you have probably gathered, it can be controlled wirelessly via Bluetooth, thanks to an Android app called My Satis.
(I’m really struggling to keep serious about security here, but the screenshot to the right really is from the app.
You can learn more, probably more than you need, and certainly much more than you really want to know, about being “up to the job” at the Google Play Store.)
Fortunately, the researchers at Trustwave didn’t allow themselves to be sidetracked into toilet humour.
They kept a sense of propriety, drily reminding us that:
An attacker could simply download the "My Satis" application and use it to cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner. Attackers could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user.
I’ll leave you with the following mitigations:
- Satis users are advised to check their water bowls (sorry!) bills carefully for signs of unauthorised transactions.
- Friends are advised not to borrow Satis users’ phones, on account of the circumstances under which their screens may have been swiped.
By all means, have a chuckle.
But see the serious side, and repeat after me: DON’T PUT HARD-WIRED PASSWORDS IN YOUR CODE.
I'm sorry, but when did we get to the point of having our toilets paired with our phones?
"HONEY!! I can't flush! I forgot my phone in the living room. Can you do it for me?"
Thing, is, this is Bluetooth, not Wi-Fi, so the expectation must be that you'll have your phone close by…e.g. actually in your hand while you're seated on the Thomas.
Clearly, it's much more convenient to be able to tweak the toilet without having to turn to the side and operate the controls that these toilets usually have…but the hygiene implications (my second mitigation above wasn't really a joke) do leave a lot to be desired…
Haha. And then couldn't the other person have some fun.
Would love to see this being exploited for shits and giggles 😉
There are NO COMMENTS posted yet? To an article about toilet security? Seriously? I'll leave the bathroom humor to someone else as I'm no good at it, but I agree "Never use hard-wired passwords!"
Most of our readers actually take security pretty seriously so they're probably unsure whether to make a light-hearted remark (because it is nice to have a vuln you can laugh at) or to keep it real (because one can never get too casual about security matters).
So some people who might feel like commenting probably haven't done so because they feel caught between two stools.
This thread could go down the pan quite quickly
Let's hope that doesn't happen, but if it does, you can always log a complaint with the editor.
What a lot of fuss over a tiny bit of sh**e. If you don’t like it, just disable the bluetooth and if someone was so desperate to flush my toilets for me, I would only be sad and tell him to go get a life than worry about keeping my toilets clean.
Yeah, but not all haxxor types are so obliging. There are bound to be some of them who would consider it piles of fun to engage the bidet function at inappropriate moments (you get quite an arc of water out of these devices). So you might end up keeping your floor and walls clean, too.
I find it hysterical that the media is focusing on the toilet attack, but the other products mentioned in the *same talk* that are more prevalent consumer devices didn't even make it to an article.
I completely agree with the security implications of hard-wired passwords and the comments about it in the article, but I can’t understand what I consider an stupid usage of technology. Come on, needing your cell phone to flush the toilet seems absurd, something done by someone not knowing what to do with technology and playing to create the most useless thing.
Joking aside, there was a TV programme recently where they fitted something like this for a guy with motor neurone disease so he could go to the toilet himself.
As anyone who has cared for an adult knows, neither carer nor the cared-for relish this part
So although we may laugh and joke about this, it is the future for many of us if we want to live independently in our own homes as we get older.
But if you want a joke – I bet the programmer who made this error is sh*tting himself!
I’d read elsewhere on this topic that the malware could do things like activate (record, transmit, etc.) the microphone or one of the two cameras on the phone – which the user has brought in with them.
Cookies, meh. THAT’s an invasion of privacy.
I hadn’t read about the cause – default passwords. NS dishes the real dirt yet again. I can count on your informed and detailed perspective, even if I’ve only heard vague info elsewhere.
I utterly believe the protection implications of hard-wired passwords and therefore the comments concerning it within the article, however, I can’t perceive what I take into account as stupid usage of technology. Come on, needing your mobile phone to flush the restroom appears absurd, issue done by somebody not knowing what to try to with technology and taking part in to form the foremost useless thing.