Sunday, June 26, 2022

Security flaws in internet-connected hot tubs exposed owners’ personal data – TechCrunch

Must read

Chelsea could land £ 118.5m injection to help fund Matthijs de Ligt and Raheem Sterling transfers

Chelsea have entered a crucial summer where Thomas Tuchel is looking to rebuild his squad. Not only does that mean signing new...

The Webb Telescope is already exceeding NASA’s expectations

NASA is scheduled to release the first images taken by the James Webb Space Telescope on July 12, 2022. They'll mark the beginning of...

Banking body BIS urges decisive wave of global rate hikes to stem inflation

The world's central bank umbrella body, the Bank for International Settlements (BIS), has called for interest rates to be raised "quickly and decisively" to...

A Great Introduction To’Sonic The Hedgehog’ For Newer Players

The new Anniversary mode in'Sonic Origins' offers a new widescreen layout and infinite lives. ...

A security researcher found vulnerabilities in Jacuzzi’s SmartTub interface that allowed access to the personal data of every hot tub owner.

Jacuzzi’s SmartTub feature, like most Internet of Things (IoT) systems, lets users connect to their hot tub remotely via a companion Android or iPhone app. Marketed as a “personal hot tub assistant,” users can make use of the app to control water temperature, switch on and off jets, and change the lights.

But as documented by hacker Eaton Zveare, this functionality could also be abused by threat actors to access the personal information of hot tub owners worldwide, including their names and email addresses. It’s unclear how many users are potentially impacted, but the SmartTub app has been downloaded more than 10,000 times on Google Play.

Eaton first noticed a problem when he tried to log in using the SmartTub web interface, which uses third-party identity provider Auth0, and found that the login page returned an “unauthorized” error. But for the briefest moment Zveare saw the full admin panel populated with user data flash on his screen.

“Blink and you’d miss it. I had to use a screen recorder to capture it,” Zveare said. “I was surprised to discover it was an admin panel populated with user data. Glancing at the data, there is information for multiple brands, and not just from the US ”These brands include others under different Jacuzzi brands, including Sundance Spa, D1 Spas and Thermo Spas.

Eaton then tried to bypass the restrictions and obtain full access. He used a tool called Fiddler to intercept and modify some code that told the website that he was an admin rather than an ordinary user. The bypass was successful, enabling Zveare to access the admin panel in full.

“Once into the admin panel, the amount of data I was allowed to [access] I could view the details of every spa, see its owner and even remove their ownership, ”he said.“ It would be trivial to create a script to download all user information. It’s possible it’s already been done. ”

Things got worse when Zveare discovered a second admin panel while reviewing the source code of the Android app allowing him to view and modify the serial numbers of products, see a list of licensed hot tub dealers and view manufacturing logs.

Zveare contacted Jacuzzi to alert them to the vulnerabilities, beginning with an initial notification just hours after discovering the flaws on December 3. Zveare received a response asking for more details three days later. But after one month of no further communication, Zveare enlisted the help The second admin panel was eventually fixed on June 4, despite no formal acceptance from Jacuzzi that they have addressed the issues. of Auth0, which shut down the vulnerable SmartTub admin panel.

“After multiple contact attempts through three different Jacuzzi / SmartTub email addresses and Twitter, a dialog was not established until Auth0 stepped in,” said Zveare. they have addressed all reported issues. ”

As noted by Zveare, Jacuzzi is incorporated in California, which has data breach notification and Internet of Things security laws. The latter requires manufacturers of connected devices to include “reasonable security feature”[s]”In all such devices sold or offered for sale in California, specifically those devices capable of connecting directly or indirectly to the internet.

TechCrunch contacted Jacuzzi for comment, but the company did not respond.

- Advertisement -

More articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisement -

Latest article

Chelsea could land £ 118.5m injection to help fund Matthijs de Ligt and Raheem Sterling transfers

Chelsea have entered a crucial summer where Thomas Tuchel is looking to rebuild his squad. Not only does that mean signing new...

The Webb Telescope is already exceeding NASA’s expectations

NASA is scheduled to release the first images taken by the James Webb Space Telescope on July 12, 2022. They'll mark the beginning of...

Banking body BIS urges decisive wave of global rate hikes to stem inflation

The world's central bank umbrella body, the Bank for International Settlements (BIS), has called for interest rates to be raised "quickly and decisively" to...

A Great Introduction To’Sonic The Hedgehog’ For Newer Players

The new Anniversary mode in'Sonic Origins' offers a new widescreen layout and infinite lives. ...

6 best Netflix shows to watch (and 3 to skip) in July 2022

We're getting into the best stretch of the summer, and the Netflix shows coming in July 2022 definitely prove that.Following the return of...