acm-header
Sign In

Communications of the ACM

ACM TechNews

Security Flaws in Internet-Connected Hot Tubs Exposed Owners' Personal Data


The vulnerabilities in Jacuzzi’s SmartTub interface allowed access to the personal data of every hot tub owner.

Credit: Chandan Khanna/AFP/Getty Images

Vulnerabilities discovered by hacker Eaton Zveare in hot tub manufacturer Jacuzzi's SmartTub Internet interface compromised the data of owners worldwide.

The system allows users to control their hot tubs remotely through a companion Android or iPhone application, which has been downloaded more than 10,000 times.

Zveare said owners' names and emails could be leaked though the exploit, which he noticed when logging in using the SmartTub interface; the login page returned an "unauthorized" error, and briefly flashed a full admin panel filled with user data, including information for multiple hot tub brands.

The hacker used a tool called Fiddler to intercept and alter code that fooled the website into thinking he was an admin rather than an ordinary user, exposing the whole admin panel.

Zveare found two vulnerable admin panels, which Jacuzzi corrected after spotty communications, and without any formal acknowledgement.

From TechCrunch
View Full Article

 

Abstracts Copyright © 2022 SmithBucklin, Washington, DC, USA


 

No entries found