IoT weaknesses leave hot tub owners in deep water

For decades hot tubs were simple water-bearing garden luxuries that owners looked forward to relaxing in of an evening.

More recently, manufacturers started adding exciting Internet of Things (IoT) features that product marketing departments worked themselves into a lather promoting as the next must-have.

These IoT-enabled hot tubs look identical to the old ones except that owners can now remotely adjust things such as water temperature using a smartphone app.

No prizes for guessing what’s coming next – according to UK security outfit Pen Test Partners, it looks as if at least one hot tub maker left robust security off the to-do list.

In a video filmed from a hot tub, founder Ken Munro explains how his company was tipped off to look more closely at the authentication design of the app used to control hot tubs or spas made by Balboa Water Group (BWG).

What they found reads like a useful definition of how not to do IoT security.

The app communicates directly with a Wi-Fi interface on the company’s hot tubs, or over the internet using an API. The access point (AP) built into the tub…

…is open, no PSK [pre-shared key], so anyone can stand near your house, connect their smart phone to your hot tub and control it. Your friendly neighbourhood hacker could control your tub.

And that’s not all – the API has no authentication but connects to a cloud service called iDigi, which uses a static password. Reaching out to a specific tub requires an ID, and that turns out to be… a padded version of the Wi-Fi access point’s MAC address!

Sniffing out Wi-Fi networks is easy and popular – so easy and so popular that giant databases and maps of the globe with MAC addresses plotted on them are just a click away. And, as anyone who’s used Google’s Location Services will know, Wi-Fi networks can be used for geo-location very effectively too.

Would you mind if anyone could locate your hot tub on a map? Perhaps not, but most users would mind some of the other security problems revealed by this app.

At this point, the researchers decided to coin a special name for this kind of device – the “hackuzzi” (in honour of the US brand Jacuzzi, which is unaffected by this vulnerability).

In hot water

Now for the pièce de résistance – fiddling with the water temperature.

According to the researchers, this might not be dangerous per se but would allow a hacker to cause the tub to consume excessive electricity or to make it unusably cold. It’s also possible to control the blowers or water spouts:

Blowers are also only turned on when someone is in the tub, so the hacker can figure out if you’re in the tub at the time. Creepy.

There is a serious side to this finding beyond the woeful IoT security of a product used to control an estimated 26,000 hot tubs. When Pen Test Partners contacted Balboa it received no response until the BBC contacted them in advance of a TV feature on the story.

Pen Test Partners claimed that that BWG asked for the Christmas broadcast to be delayed to allow for the holidays.

Said Pen Test Partners:

It’s yet another example of an IoT disclosure train wreck.

Until an app and/or API is updated, their advice for owners is not to use the remote control function and, if really worried, to physically remove the Wi-Fi module enabling it.

Hopefully, Balboa will offer an update soon. However, given that the most recent update for the Android version (v2.2.7) was in July 2013 it’s probably best to assume this might not be imminent.