Sign In

Communications of the ACM

ACM TechNews

Security Flaws in Internet-Connected Hot Tubs Exposed Owners' Personal Data

View as: Print Mobile App Share:

The vulnerabilities in Jacuzzi’s SmartTub interface allowed access to the personal data of every hot tub owner.

Credit: Chandan Khanna/AFP/Getty Images

Vulnerabilities discovered by hacker Eaton Zveare in hot tub manufacturer Jacuzzi's SmartTub Internet interface compromised the data of owners worldwide.

The system allows users to control their hot tubs remotely through a companion Android or iPhone application, which has been downloaded more than 10,000 times.

Zveare said owners' names and emails could be leaked though the exploit, which he noticed when logging in using the SmartTub interface; the login page returned an "unauthorized" error, and briefly flashed a full admin panel filled with user data, including information for multiple hot tub brands.

The hacker used a tool called Fiddler to intercept and alter code that fooled the website into thinking he was an admin rather than an ordinary user, exposing the whole admin panel.

Zveare found two vulnerable admin panels, which Jacuzzi corrected after spotty communications, and without any formal acknowledgement.

From TechCrunch
View Full Article


Abstracts Copyright © 2022 SmithBucklin, Washington, DC, USA


No entries found