Communications of the ACM

Home/News/Security Flaws in Internet-Connected Hot Tubs Exposed.../Full Text

ACM TechNews

Security Flaws in Internet-Connected Hot Tubs Exposed Owners' Personal Data

By TechCrunch
June 28, 2022
Comments

View as: Print Mobile App Share:

The vulnerabilities in Jacuzzi’s SmartTub interface allowed access to the personal data of every hot tub owner.

Credit: Chandan Khanna/AFP/Getty Images

Vulnerabilities discovered by hacker Eaton Zveare in hot tub manufacturer Jacuzzi's SmartTub Internet interface compromised the data of owners worldwide.

The system allows users to control their hot tubs remotely through a companion Android or iPhone application, which has been downloaded more than 10,000 times.

Zveare said owners' names and emails could be leaked though the exploit, which he noticed when logging in using the SmartTub interface; the login page returned an "unauthorized" error, and briefly flashed a full admin panel filled with user data, including information for multiple hot tub brands.

The hacker used a tool called Fiddler to intercept and alter code that fooled the website into thinking he was an admin rather than an ordinary user, exposing the whole admin panel.

Zveare found two vulnerable admin panels, which Jacuzzi corrected after spotty communications, and without any formal acknowledgement.

From TechCrunch
View Full Article

No entries found

Security Flaws in Internet-Connected Hot Tubs Exposed Owners' Personal Data

Housekeeping Humanoid System Can Cook, Clean

Leveraging Professional Ethics for Responsible AI

Are You Confident in Your Backups?