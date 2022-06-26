With the rise of smart devices and the connected home, more and more products have IoT solutions. Even a hot tub now offers cloud integration. And had it not been for the finding of an independent investigator, the data of thousands of users who have a Jacuzzi in their home would have been compromised.

This researcher was able to easily enter the firm’s administration panel, discovering a major security flaw that allowed him to access a large amount of user information that have some of the company’s smart bathtubs.

A security flaw that even allowed remote control of users’ bathtubs

Eaton Zveare, chief technology officer at Grape Intentions, documented as much as possible about the Jacuzzi security issue on his Eaton Works blog. It explains how he was able to break into the company’s systems through a vulnerability he was able to find. The investigator did not publish the report until the error was corrected by Jacuzzi. Contacting the company was an arduous task for Zveare, but finally, thanks to the Auth0 security team, the spa solutions firm was able to fix the bug. Of course, without notifying the researcher or thanking him for it.



Imagen: EatonWorks

Nowadays, it is possible to use a mobile phone or smart device to control some aspects of the jacuzzi. Users rely on the cloud to access the remote configuration of their smart bathtub, which is another dangerous gateway for cyber-attacks. Fortunately, Eaton’s intentions were good, and she decided to contact Jacuzzi instead of hacking and collecting user information.

Eaton first discovered the problem when trying to access one of Jacuzzi’s services through its password manager. However, he ran into an error message telling him that he was “not authorized to enter.”

As Zveare explains, before the message appeared, he saw a header and a table on the web that flashed instantly. According to the investigator, in order to see him properly he had to record his screen. Analyzing it carefully, what appeared fleetingly was an administration panel with access to the information of all users of Jacuzzi and other brands.

Upon seeing it, he wondered if he could bypass the restrictions and access this panel. Eaton commented that ‘smarttub.io’ was a Single Page Application (SPA) built with the React library. After downloading the JavaScript package, he looked for instances with the word ‘unauthorized’. In this way, he found the URL where the error appeared and where the ‘div’ HTML element was generated that restricted access.

Using the Fiddler program, he was able to intercept and modify some of the code so that the page would treat the user as an administrator. And it worked.



Imagen: EatonWorks

Once inside, he found information from Jacuzzi users from all over the world. As he says on the blog, the amount of information he was able to find surprised him. I could see details of all the spas, see the owner, and even change their privileges. However, he took special care when browsing the web.

From the APK of the Android app, he discovered another URL that took him to another administration panel. accessing it was able to break into Jacuzzi’s backend systemwhere they had access to the products, being able to modify their serial number, see a list of distributors’ phone numbers, and even see a manufacturing record, among other things.

As Eaton mentioned, the worst part of all was that the user’s personal information could be easily accessedeven control bathtubs remotely.

“User data from around the world was exposed, including first name, last name, and email address. There is a phone number field, but luckily I never saw it filled in anywhere, and they don’t ask for it when creating an account.”

That IoT solutions and other smart devices depend on the cloud can offer us many benefits. Yes indeed, at the expense of the company having control of our information. That is why, when wanting to create a connected ecosystem at home, the user is generally recommended to use local solutions.

Via | VICE