Security

Security flaws in internet-connected hot tubs exposed owners’ personal data

Comment

A bubbling hot tub with two people in it
Image Credits: Chandan Khanna / AFP (opens in a new window) / Getty Images

A security researcher found vulnerabilities in Jacuzzi’s SmartTub interface that allowed access to the personal data of every hot tub owner.

Jacuzzi’s SmartTub feature, like most Internet of Things (IoT) systems, lets users connect to their hot tub remotely via a companion Android or iPhone app. Marketed as a “personal hot tub assistant,” users can make use of the app to control water temperature, switch on and off jets, and change the lights.

But as documented by hacker Eaton Zveare, this functionality could also be abused by threat actors to access the personal information of hot tub owners worldwide, including their names and email addresses. It’s unclear how many users are potentially impacted, but the SmartTub app has been downloaded more than 10,000 times on Google Play.

The main concern is their name and email being leaked,” Zveare told TechCrunch, adding that attackers could also potentially heat up someone else’s hot tub or change the filtration cycles. “That would make things unpleasant the next time the person checked their tub,” he said. “But I don’t think there is anything truly dangerous that could have been done — you have to do all chemicals by hand.

Eaton first noticed a problem when he tried to log in using the SmartTub web interface, which uses third-party identity provider Auth0, and found that the login page returned an “unauthorized” error. But for the briefest moment Zveare saw the full admin panel populated with user data flash on his screen.

“Blink and you’d miss it. I had to use a screen recorder to capture it,” Zveare said. “I was surprised to discover it was an admin panel populated with user data. Glancing at the data, there is information for multiple brands, and not just from the U.S.” These brands include others under different Jacuzzi brands, including Sundance Spa, D1 Spas and ThermoSpas.

Eaton then tried to bypass the restrictions and obtain full access. He used a tool called Fiddler to intercept and modify some code that told the website that he was an admin rather than an ordinary user. The bypass was successful, enabling Zveare to access the admin panel in full.

“Once into the admin panel, the amount of data I was allowed to [access] was staggering. I could view the details of every spa, see its owner and even remove their ownership,” he said. “It would be trivial to create a script to download all user information. It’s possible it’s already been done.”

Things got worse when Zveare discovered a second admin panel while reviewing the source code of the Android app allowing him to view and modify the serial numbers of products, see a list of licensed hot tub dealers and view manufacturing logs.

Zveare contacted Jacuzzi to alert them to the vulnerabilities, beginning with an initial notification just hours after discovering the flaws on December 3. Zveare received a response asking for more details three days later. But after one month of no further communication, Zveare enlisted the help of Auth0, which reached out to Jacuzzi and got it to shut down the vulnerable SmartTub admin panel. The second admin panel was eventually fixed on June 4, despite no formal acknowledgement from Jacuzzi that they have addressed the issues.

“After multiple contact attempts through three different Jacuzzi/SmartTub email addresses and Twitter, a dialog was not established until Auth0 stepped in,” said Zveare. “Even then, communication with Jacuzzi/SmartTub eventually dropped off completely, without any formal conclusion or acknowledgment they have addressed all reported issues.”

As noted by Zveare, Jacuzzi is incorporated in California, which has data breach notification and Internet of Things security laws. The latter requires manufacturers of connected devices to include “reasonable security feature[s]” in all such devices sold or offered for sale in California, specifically those devices capable of connecting directly or indirectly to the internet.

TechCrunch contacted Jacuzzi for comment, but the company did not respond.

Is the UK government’s new IoT cybersecurity bill fit for purpose?

More TechCrunch

Avendus, the top investment bank for venture deals in India, confirmed on Wednesday it is looking to raise up to $350 million for its new private equity fund.  The new…

Avendus, India’s top venture advisor, confirms it’s looking to raise a $350 million fund

China has closed a third state-backed investment fund to bolster its semiconductor industry and reduce reliance on other nations, both for using and for manufacturing wafers — prioritizing what is…

China’s $47B semiconductor fund puts chip sovereignty front and center

Apple’s annual list of what it considers the best and most innovative software available on its platform is turning its attention to the little guy.

Apple’s Design Awards nominees highlight indies and startups, largely ignore AI (except for Arc)

The spyware maker’s founder, Bryan Fleming, said pcTattletale is “out of business and completely done,” following a data breach.

Spyware maker pcTattletale says it’s ‘out of business’ and shuts down after data breach

AI models are always surprising us, not just in what they can do, but what they can’t, and why. An interesting new behavior is both superficial and revealing about these…

AI models have favorite numbers, because they think they’re people

On Friday, Pal Kovacs was listening to the long-awaited new album from rock and metal giants Bring Me The Horizon when he noticed a strange sound at the end of…

Rock band’s hidden hacking-themed website gets hacked

Jan Leike, a leading AI researcher who earlier this month resigned from OpenAI before publicly criticizing the company’s approach to AI safety, has joined OpenAI rival Anthropic to lead a…

Anthropic hires former OpenAI safety lead to head up new team

Welcome to TechCrunch Fintech! This week, we’re looking at the long-term implications of Synapse’s bankruptcy on the fintech sector, Majority’s impressive ARR milestone, and more!  To get a roundup of…

The demise of BaaS fintech Synapse could derail the funding prospects for other startups in the space

YouTube’s free Playables don’t directly challenge the app store model or break Apple’s rules. However, they do compete with the App Store’s free games.

YouTube’s free games catalog ‘Playables’ rolls out to all users

Featured Article

A comprehensive list of 2024 tech layoffs

The tech layoff wave is still going strong in 2024. Following significant workforce reductions in 2022 and 2023, this year has already seen 60,000 job cuts across 254 companies, according to independent layoffs tracker Layoffs.fyi. Companies like Tesla, Amazon, Google, TikTok, Snap and Microsoft have conducted sizable layoffs in the first months of 2024. Smaller-sized…

14 hours ago
A comprehensive list of 2024 tech layoffs

OpenAI has formed a new committee to oversee “critical” safety and security decisions related to the company’s projects and operations. But, in a move that’s sure to raise the ire…

OpenAI’s new safety committee is made up of all insiders

Time is running out for tech enthusiasts and entrepreneurs to secure their early-bird tickets for TechCrunch Disrupt 2024! With only four days left until the May 31 deadline, now is…

Early bird gets the savings — 4 days left for Disrupt sale

AI may not be up to the task of replacing Google Search just yet, but it can be useful in more specific contexts — including handling the drudgery that comes…

Skej’s AI meeting scheduling assistant works like adding an EA to your email

Faircado has built a browser extension that suggests pre-owned alternatives for ecommerce listings.

Faircado raises $3M to nudge people to buy pre-owned goods

Tumblr, the blogging site acquired twice, is launching its “Communities” feature in open beta, the Tumblr Labs division has announced. The feature offers a dedicated space for users to connect…

Tumblr launches its semi-private Communities in open beta

Remittances from workers in the U.S. to their families and friends in Latin America amounted to $155 billion in 2023. With such a huge opportunity, banks, money transfer companies, retailers,…

Félix Pago raises $15.5 million to help Latino workers send money home via WhatsApp

Google said today it’s adding new AI-powered features such as a writing assistant and a wallpaper creator and providing easy access to Gemini chatbot to its Chromebook Plus line of…

Google adds AI-powered features to Chromebook

The dynamic duo behind the Grammy Award–winning music group the Chainsmokers, Alex Pall and Drew Taggart, are set to bring their entrepreneurial expertise to TechCrunch Disrupt 2024. Known for their…

The Chainsmokers light up Disrupt 2024

The deal will give LumApps a big nest egg to make acquisitions and scale its business.

LumApps, the French ‘intranet super app,’ sells majority stake to Bridgepoint in a $650M deal

Featured Article

More neobanks are becoming mobile networks — and Nubank wants a piece of the action

Nubank is taking its first tentative steps into the mobile network realm, as the NYSE-traded Brazilian neobank rolls out an eSIM (embedded SIM) service for travelers. The service will give customers access to 10GB of free roaming internet in more than 40 countries without having to switch out their own existing physical SIM card or…

22 hours ago
More neobanks are becoming mobile networks — and Nubank wants a piece of the action

Infra.Market, an Indian startup that helps construction and real estate firms procure materials, has raised $50M from MARS Unicorn Fund.

MARS doubles down on India’s Infra.Market with new $50M investment

Small operations can lose customers by not offering financing, something the Berlin-based startup wants to change.

Cloover wants to speed solar adoption by helping installers finance new sales

India’s Adani Group is in discussions to venture into digital payments and e-commerce, according to a report.

Adani looks to battle Reliance, Walmart in India’s e-commerce, payments race, report says

Ledger, a French startup mostly known for its secure crypto hardware wallets, has started shipping new wallets nearly 18 months after announcing the latest Ledger Stax devices. The updated wallet…

Ledger starts shipping its high-end hardware crypto wallet

A data protection taskforce that’s spent over a year considering how the European Union’s data protection rulebook applies to OpenAI’s viral chatbot, ChatGPT, reported preliminary conclusions Friday. The top-line takeaway…

EU’s ChatGPT taskforce offers first look at detangling the AI chatbot’s privacy compliance

Here’s a shoutout to LatAm early-stage startup founders! We want YOU to apply for the Startup Battlefield 200 at TechCrunch Disrupt 2024. But you’d better hurry — time is running…

LatAm startups: Apply to Startup Battlefield 200

The countdown to early-bird savings for TechCrunch Disrupt, taking place October 28–30 in San Francisco, continues. You have just five days left to save up to $800 on the price…

5 days left to get your early-bird Disrupt passes

Venture investment into Spanish startups also held up quite well, with €2.2 billion raised across some 850 funding rounds.

Spanish startups reached €100 billion in aggregate value last year

Featured Article

Onyx Motorbikes was in trouble — and then its 37-year-old owner died

James Khatiblou, the owner and CEO of Onyx Motorbikes, was watching his e-bike startup fall apart.  Onyx was being evicted from its warehouse in El Segundo, near Los Angeles. The company’s unpaid bills were stacking up. Its chief operating officer had abruptly resigned. A shipment of around 100 CTY2 dirt bikes from Chinese supplier Suzhou…

2 days ago
Onyx Motorbikes was in trouble — and then its 37-year-old owner died

Featured Article

Iyo thinks its GenAI earbuds can succeed where Humane and Rabbit stumbled

Iyo represents a third form factor in the push to deliver standalone generative AI devices: Bluetooth earbuds.

2 days ago
Iyo thinks its GenAI earbuds can succeed where Humane and Rabbit stumbled