Just when you thought it was safe to go back in the water (closet)!

Filed Under: Featured, Security threats, Vulnerability

So many vulnerabilities are just Sturm und Drang, often with a fair bit of hyperbole and fin de siècle pretension stirred in.

From Windows kernel bugs that will surely stop the world (though they haven't yet); through blogging platform holes that give the bad guys temporary residency on your server; to a code verification bypass that lets crooks "borrow" both your goodwill and your digital signature to legitimise their dodgy Android apps, and then another one...

You'd be forgiven for wondering if there are ever any exploitable vulnerabilities that aren't doomy-and-gloomy, and at which you are allowed an uncomplicated chuckle.

I am pleased to tell you that the chaps at Trustwave have found one!

Just when you thought it was safe to go back in the water closet, along comes TWSL2013-020.

It's no less than a Vulnerability in The LIXIL Satis Toilet!

Let's be serious for a moment.

This is a regrettable vulnerability from which we can all learn:

  1. An Android app to control the toilet reveals a hard-wired Bluetooth pairing PIN.
  2. The default PIN (not that it really matters once you know it) is 0000.

We've said it before, and we shall probably have to say it again: DON'T HAVE HARD-WIRED PASSWORDS.

A default password - one that you can change, but often forget to - is an implicit backdoor.

If you must have a setup-time password that has a known-to-the-public value, allow it only at initial login and for the purpose of setting a proper password.

For example, don't let your router go on-line until the default password has been changed; don't let your mobile phone app post messages; and don't let people logon to the loo.

And a hard-wired password - one that you can't change, even if you want to - is an explicit backdoor.

Of course, a four-digit PIN is woefully inadequate unless you have some kind of lock-out after a few failures. (Consider my recent BREACH article, in which I was able to recover a strongly-encrypted eight-digit identifier with just 10,000 HTTP probes).

Anyway, 0000 is a pretty bad choice even with an aggressive lock-out such as the three-strikes-and-you're-done approach taken by ATMs (cash machines).

But let's get back to the toilet!

As you've probably guessed, especially if you have ever visited that part of the world, this is a Japanese product.

→ In a Western hotel in Japan, your first consultation with the khazi can be confronting. There it is, American style, giantly brimming with water just below your personal plumbing, bristling with more controls than the Starship Bistromath, and plugged straight into an electrical socket. The locals' protestations that "mains is only 100V in Japan" is not the sort of consolation that inspires confidence.

And the LIXIL Satis (Latin for "up to the job") is a premium potty product.

As you have probably gathered, it can be controlled wirelessly via Bluetooth, thanks to an Android app called My Satis.

(I'm really struggling to keep serious about security here, but the screenshot to the right really is from the app.

You can learn more, probably more than you need, and certainly much more than you really want to know, about being "up to the job" at the Google Play Store.)

Fortunately, the researchers at Trustwave didn't allow themselves to be sidetracked into toilet humour.

They kept a sense of propriety, drily reminding us that:

An attacker could simply download the "My Satis" application and use it to cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner. Attackers could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user.

I'll leave you with the following mitigations:

  • Satis users are advised to check their water bowls (sorry!) bills carefully for signs of unauthorised transactions.
  • Friends are advised not to borrow Satis users' phones, on account of the circumstances under which their screens may have been swiped.

By all means, have a chuckle.

But see the serious side, and repeat after me: DON'T PUT HARD-WIRED PASSWORDS IN YOUR CODE.

, , , , , , ,

You might like

14 Responses to Just when you thought it was safe to go back in the water (closet)!

  1. ScottK · 789 days ago

    I'm sorry, but when did we get to the point of having our toilets paired with our phones?
    "HONEY!! I can't flush! I forgot my phone in the living room. Can you do it for me?"

    • Paul Ducklin · 788 days ago

      Thing, is, this is Bluetooth, not Wi-Fi, so the expectation must be that you'll have your phone close by...e.g. actually in your hand while you're seated on the Thomas.

      Clearly, it's much more convenient to be able to tweak the toilet without having to turn to the side and operate the controls that these toilets usually have...but the hygiene implications (my second mitigation above wasn't really a joke) do leave a lot to be desired...

    • Guy · 788 days ago

      Haha. And then couldn't the other person have some fun.

  2. purile · 789 days ago

    Would love to see this being exploited for shits and giggles ;-)

  3. There are NO COMMENTS posted yet? To an article about toilet security? Seriously? I'll leave the bathroom humor to someone else as I'm no good at it, but I agree "Never use hard-wired passwords!"

    • Paul Ducklin · 788 days ago

      Most of our readers actually take security pretty seriously so they're probably unsure whether to make a light-hearted remark (because it is nice to have a vuln you can laugh at) or to keep it real (because one can never get too casual about security matters).

      So some people who might feel like commenting probably haven't done so because they feel caught between two stools.

      • Guy · 788 days ago

        This thread could go down the pan quite quickly

        • Paul Ducklin · 787 days ago

          Let's hope that doesn't happen, but if it does, you can always log a complaint with the editor.

  4. Sammie · 788 days ago

    What a lot of fuss over a tiny bit of sh**e. If you don't like it, just disable the bluetooth and if someone was so desperate to flush my toilets for me, I would only be sad and tell him to go get a life than worry about keeping my toilets clean.

    • Paul Ducklin · 788 days ago

      Yeah, but not all haxxor types are so obliging. There are bound to be some of them who would consider it piles of fun to engage the bidet function at inappropriate moments (you get quite an arc of water out of these devices). So you might end up keeping your floor and walls clean, too.

  5. unregistered436 · 788 days ago

    I find it hysterical that the media is focusing on the toilet attack, but the other products mentioned in the *same talk* that are more prevalent consumer devices didn't even make it to an article.

  6. Hugo Koncke · 788 days ago

    I completely agree with the security implications of hard-wired passwords and the comments about it in the article, but I can't understand what I consider an stupid usage of technology. Come on, needing your cell phone to flush the toilet seems absurd, something done by someone not knowing what to do with technology and playing to create the most useless thing.

  7. Tony G · 788 days ago

    Joking aside, there was a TV programme recently where they fitted something like this for a guy with motor neurone disease so he could go to the toilet himself.

    As anyone who has cared for an adult knows, neither carer nor the cared-for relish this part

    So although we may laugh and joke about this, it is the future for many of us if we want to live independently in our own homes as we get older.

    But if you want a joke - I bet the programmer who made this error is sh*tting himself!

  8. Solenoid · 787 days ago

    I'd read elsewhere on this topic that the malware could do things like activate (record, transmit, etc.) the microphone or one of the two cameras on the phone - which the user has brought in with them.

    Cookies, meh. THAT's an invasion of privacy.

    I hadn't read about the cause - default passwords. NS dishes the real dirt yet again. I can count on your informed and detailed perspective, even if I've only heard vague info elsewhere.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog