Hot Tub Hack Reveals Washed-up Security Protection

Thousands of hot tubs can be hacked and controlled remotely because of a hole in their online security, BBC Click has revealed. From a report: Researchers showed the TV programme how an attacker could make the tubs hotter or colder, or control the pumps and lights via a laptop or smartphone. Vulnerable tubs are designed to let their owners control them with an app. But third-party wi-fi databases mean hackers can home in on specific tubs by using their GPS location data. Balboa Water Group (BWG), which runs the affected system, has now pledged to introduce a more robust security system for owners and said the problem would be fixed by the end of February.

Pen Test Partners -- the UK security company that carried out the research -- warned that hot tubs were not the only household items at risk. Founder Ken Munro said that many Christmas gifts people would receive this year would connect to the internet and offer remote control through apps. "Manufacturers still are not taking security seriously enough, and until they do consumers have to be very vigilant," he said. "We recommend users reset any default passwords the device has immediately with a unique one of their own."

Re:

[Known Nutter]

I switched to -1 looking for this post and was not disappointed.

No mod points at the moment, so, bravo to you, sir! Irregardless of political position, I am happy to have seen this post. I just knew it would be here... and it was! What a time to be alive!

IoT

[Anonymous Coward]

IoT - the rush for every manufacture to strap a computer to their thing and connect it to the internet and their walled garden platform.

IoT guys need to get together with open standards and push for things like OTA updates and security reviewed libraries. In their rush to create walled gardens. They are creating an oasis of hacks just waiting to be found.

How bad is it? Much worse then you think. Think of protocols that are sort of standard. No encryption. No authentication. Nothing. Then go hang that out on the internet behind a password page using state of the art tech from 1995 (if your lucky). Then even *if* there is some sort of security update thing. It is for maybe 1-2 years. So suddenly my 2k in outlay for hardware hubs and repeaters is useless because it is already at EOL. I own a 'smart TV' from 2009. None of the smart features work anymore. The TV is just fine though.

Re:IoT

[ctilsie242]

As someone who has worked for an IoT company, a lot of companies actually build in insecurity:

1: If there is a major show stopper that hits customers, causing lawsuits, the top brass shorts their stock the day before the announcements. They laugh all the way to the bank.

2: Unfixable security issues force customers to re-buy everything. The more issues that are unpatchable, the more revenue an IoT provider gets. Especially if the IoT devices are designed to be resistant to "jailbreaking", so they can't be patched via third parties.

3: IoT devices sending up a constant telemetry stream can make more cash than the device itself, especially to advertisers.

Want to know how to have IoT devices have a lot better security? Not hard:

1: Have a dedicated IoT firewall hub. This hub only allows communication as per signed manifest files. This way, if a device only communicates via HTTPS to a load balancer for updates, and suddenly starts phoning home to Lower Elbonia, that will be blocked. Of course, a lot of IoT providers will just do 0.0.0.0/255.255.255.255 for a netmask of permissive sites, but will be a cause of public humilation.

2: Have the IoT firewall hub communicate in an offline state, similar to UUCP forwarding. That way, the IoT hub grabs updates and offers them available for devices. Since there is no direct access to the devices, it becomes difficult to attack them without physical access.

3: Have something similar to UL, or Sold Secure, where devices get tested by an independent group and given a certification that they passed white box, black box, and other security attempts.

Re:

[CanadianMacFan]

With your third option to have something like UL to check devices don't you think companies would game the system just like some car companies did with emissions testing. (It wasn't just VW.) They'd send in a test system that didn't do the bad behaviours that were being checked for. Once they got the got the approval to sell the device they'd make sure the behaviour was turned on again and ship. Or have some way of detecting that the testing was being performed.

Re:

[ShanghaiBill]

No. For cars, it makes sense to send a "clean" car for emissions testing, and then sell a "dirty but efficient" car to the public. That way the regulators see low emissions, the customers get good milage, and everyone is happy.

For IoT security, this makes no sense. It is only more expensive to design good security. Once you have it, it would make no sense to put in only the test unit. Since software has zero marginal cost, why not deploy it in every unit sold?

Re:

[ctilsie242]

[Citation Needed]. China has things to disparage it, but banning encryption is something I have yet to actually see as a law. I personally prefer having IoT stuff made from other sources than China (the ye old China +1 methodology), but I'd rather aim criticism accurately.

Of course, in China, any venture on their soil has to be 51% or more owned by a domestic firm, and domestic firms have Chinese government officials on board, but I wouldn't say encryption is directly banned.

Re:

[ctilsie242]

If I have to have an IoT device, there are precautions you can take. The best precaution is not to buy the device in the first place, or if it is a device like a smart TV, if it requires an internet connection to function, or it puts up a EULA, the TV goes back in the box and gets returned.

1: Put it on its own VLAN, with its own internal IP space and different NAT. If you use 192.168, chuck it in a 172.16.x.x subnet, or a 10.x.x.x subnet. Hell, make the IP space 9.x.x.x, so the device thinks it is in so

Re:

[Calydor]

Get it started up before you get home, perhaps?

Re:

[Anonymous Coward]

> Hot tubs can take days to heat up

If it takes more than 12 hours, it's either defective or large enough for 20 people!

Re:

[Ol Olsoc]

No. Hot tubs can take days to heat up, you'd turn it up before you left your house. It's more efficient to keep it at constant temp than to raise and lower it anyhow.

Everything you said is 100% wrong. Yes, i would like fries with that, Skippy.

I have had spas since the mid 1990's, and only the earliest would use that abominable thermal cycling. The manufacturer even suggested that I set it and forget it on my latest tub. Constant thermal cycling of a water appliance like a spa isn't a good idea anyhow, from the standpoint of expansion and contraction of components.

As well, modern spas that aren't cheap hold their temps well. In the winter, our new outside tub will only drop maybe 4 degrees F over a 12 hour period as long as kept closed. Discov

Re:

[DontBeAMoran]

AC is definitely wrong about heating time. I can fill mine with 50 degree F water, start it up, and have it at 104 degrees F in about 6 hours.

... and have 50kg of pasta ready about 2 hours after that?

Re:

[Ol Olsoc]

AC is definitely wrong about heating time. I can fill mine with 50 degree F water, start it up, and have it at 104 degrees F in about 6 hours.

... and have 50kg of pasta ready about 2 hours after that?

Well, Ramen noodles anyhow.

Re:

[ShanghaiBill]

No. Hot tubs can take days to heat up

No they don't. A typical electric hot tub has a 4kw heater and holds 400 gallons. That is about 5F or 3C per hour.

A gas heater is much faster.

Re:

[Applehu Akbar]

No. Hot tubs can take days to heat up, you'd turn it up before you left your house. It's more efficient to keep it at constant temp than to raise and lower it anyhow.

I had a home hot tub in the Eighties. Worst case, with electrical heating, it would take about 4-5 hours to heat up in the winter (lowland urban Arizona). Much faster than that with gas.

That was in the Eighties, but I can see a use case for an IoT hot tub today: an attached webcam that streams all activity to an escrowed server at your lawyer's office. Then if some PoundMeTooer accuses you of creepy behavior, you have video proof or what actually happened.

Re:

[Ol Olsoc]

Get it started up before you get home, perhaps?

Nah. My original hot tub did that, and it was a major pain in the ass. You had to plan a time that you were going into it, and if the weather was going to be bad at 10 p.m., so you thought it might be nice to go in at 7, it wasn't going to be warm enough.

My present tub is really well insulated, and we keep it at a constant 104 degrees F. The UV bacteria control needs to cycle regularly as well. Just set the control panel with the mode, no need to have it exposed on the internet.

About the only reason

Not for me thanks

[AndyKron]

Why the hell does a hot tub need blue tooth and GPS data? Answer: They don't.

Re:

[Anonymous Coward]

I'd rather mine have a TPS (Temporal Positioning System) for when my buddies want to do some time travelling.

Re:

[DontBeAMoran]

https://www.imdb.com/title/tt1... [imdb.com]

Re:

[R3d M3rcury]

Well, it depends...

I’m with you on GPS. But I can see wanting remote control and data to my smartphone if my hot tub is outdoors in the winter. I can turn it on from the warm house and be able to know when the tub is actually hot before going outside.

Re:

[spire3661]

All Jacuzzis are hot tubs, not all hot tubs are Jacuzzis.

Re:

[Ol Olsoc]

Well, it depends...

I’m with you on GPS. But I can see wanting remote control and data to my smartphone if my hot tub is outdoors in the winter. I can turn it on from the warm house and be able to know when the tub is actually hot before going outside.

Modern spas do much better when turned on, set the temp, and leave it there. About the only time to change that is if you are going away for a few weeks, then at least on my spa, you walk over, activate the control panel, and turn the temperature down.

Years ago, like the 1990's they suggested cycling the temperature. Didn't work all that great for the equipment, and you had to decide when you were setting up the cycling programming when you were going into the tub. Meh. That turned out to really suck. G

Re:

[ShanghaiBill]

Why the hell does a hot tub need blue tooth and GPS data?

Because if you can turn it on remotely, from work or wherever, only on the days you decide to use it, then you don't need to leave it on all the time. This saves money and reduces CO2 emissions.

A remotely controlled hot tub is a sensible convenience. It just needs to be done securely.

to go back in time

[Joe_Dragon]

just don't put the date in the temp field

Reminds me of Dilbert skit

[Anonymous Coward]

Dilbert: Good morning, shower!
        Automated Shower Machine: Good morning, Dilbert!
        Dogbert: Hmm, don't you do enough engineering at work?
        Dilbert: Work is just meetings, this is engineering. If this works, someday all showers will be voice activated.
        Dogbert [sitting on a stool]: Is it that hard to turn the knobs?
        Dilbert: It's not that it's hard, it's unnecessary. [To ASM] 99, please.
        ASM: 99. [shower turns on at 99 degrees; Dilbert steps inside]
        Dogbert [aside]: 400.
        [The ASM does nothing]
        Dilbert: Heh-heh, nice try. But the shower is calibrated to respond to my voice only.
        Dogbert: Why, you think of everything!
        Dilbert: I'm cautious.
        Dogbert: That's why you had training wheels on your bike until you were 17.
        Dilbert: I was 14.
        ASM: 14. [makes the shower temperature 14 degrees]
        Dilbert: AAAAAAAAHHHHHHHH! [is frozen in a block of ice] 99! 99! 99! [shower goes back to 99 degrees, as the ice melts] Don't do that!
        Dogbert: Where'd you get the voice for that thing? It sounds like the voice for that stupid movie; what was it called, "something, something, a Space Odyssey"?
        Dilbert: It wasn't "Something, something, a Space Odyssey", it was "2001: A Spa-" [cut to the exterior of the house, as the ASM evidently makes the shower temperature 2001 degrees] AAAAAAAAGGGGGGHHHHH!!!
        [back inside, a red-skinned Dilbert wraps a towel around himself, which then catches on fire as he walks off-screen]
        Dogbert: On the plus-side, you look very clean.

Re:

[Applehu Akbar]

I'm afraid I can't install that, Dave.

Not the hack I’m looking for

[93 Escort Wagon]

So where’s the hack that turns the Hot Tub into a Time Machine?

IoT obsession!

[grumpy-cowboy]

I work in IT for 23 years now and I don't understand this obsession with IoT !
Are you to lazy to turn off your lights yourself? To use a simple programmable
thermostat? You really want to bug your home with a Google Home/Amazon Alexa/...
or any other IoT gadget "du jour" to be spied on 24/7? Yes I have a cell phone.
This is the only "connected" device I have. Not a single IoT device will ever
enter in my house.

On the next IoT devices hack, the next state-sponsored privacy invasion scandal
or the next Amazon/Google/Nest/... and now Hot Tub manufacturers (WTF!!) leaks
all private data collected by their connected devices, I'll open a bag of
popcorn and watch it from my "not so cool" analog but peaceful life. :)

Re:

[Anonymous Coward]

I work in IT for 23 years now and I don't understand this obsession with IoT !

Q.E.D.

Nor, it seems, do you understand proportional fonts.

Re:IoT obsession!

[fredrated]

Old-time programmers like me don't like proportional fonts, we like to have columns line up as an additional check on code accuracy.

Re:

[Anonymous Coward]

Totally agree, when writing code. When communicating, proportional fonts were de rigueur in the 11th century with the invention of moveable type. Since then, using monospaced fonts degrades written, non-code communication.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Strider-]

I'm in IT for 35 years now and I can't agree more. What's this obsession with IoT? It's totally ludicrous. It's the Internet of Trouble.

On the other hand it can be quite helpful of done right. Computers are very good at monitoring things and doing consistently for long periods of time. I work with an organization that operates a camp in the wilderness. We've instrumented or walk in freezers and refrigerators so that they alarm and/or email us if the temperatures go out of whack (or the refrigeration units fail), we've put in flood detection systems in the basements of buildings that aren't used in the winter, freeze detection in sensitive p

Re:

[grumpy_old_grandpa]

> I don't get why more /.'s are not making their own.

I'd guess it's because most "IT people" really aren't that much into technology.

Forget about hobby electronics. Most software engineers I've worked with use the pre-installed OS on their pre-built computer. Maybe they'll change the desktop background.

Re:

[Applehu Akbar]

I run a houseful of IoT sensors The app will bing a notification on my phone if something leaks or catches fire. All of the information flows one way, though. I'm not currently using the system to control anything.

Re:

[ShanghaiBill]

I'm in IT for 35 years now and I can't agree more!

So one geezer agreed with another that new fangled stuff is unnecessary, and we should go back to the good ole' days of floppies and dot-matrix printers.

Also, "being in IT" does not make you an expert on the convenience of the design of interfaces to household appliances. If anything, it should disqualify you.

Re:

[gweihir]

It is not actually an obsession with IoT, but something far darker: It is an obsession with money and any demented hype is good enough to make it.

Re:

[sad_]

and we know that, no matter how we try, there will always be security holes. why would you want to take any risks in that?
and let's not go down the path of software going obsolete, why wants to replace his fridge, tv, bath, lights, ... each time the app is no longer supported and stops working or the protocol is no longer supported, etc. etc.
also everything is easy to understand now, put some connected systems in the mix and enjoy troubleshooting why your light wont turn on when the fridge detects you're ru

Do these things have a built-in camara

[fredrated]

we can hack?

Re:

[Ol Olsoc]

imagine the meyhem LOL

Ask and ye shall receive! http://www.therabbitvibrator.c... [therabbitvibrator.com]

Simple Solution

[spaceman375]

The only problem I see with all these IoT devices is that they insist on internet access. If it isn't online, it can't be remotely hacked. You don't need security updates if it isn't able to reach, or be reached by, the internet. Oh, you want to run it remotely yourself, say from work or while on vacation? Fine. ever hear of a VPN? I have lights, plugs, and various other devices that I firewalled off from anywhere but my local net. I can control any of them from anywhere I have internet access, just by firs

Good.

[bjwest]

If you're stupid enough to buy a hot tub and connect it to the internet, you deserve to be boiled alive. WHY IN THE FUCK would anyone need this kind of shit?!?

And the reason your hot tub's 'Net-connected is?

[whitroth]

You're going to get into it. You walk out, and turn it up that morning.

But you really, really want some 16-yr-old idiot who thinks he's k3wl to turn it off, or turn it to parboil, right?

As the lady wrote, the IGCIT (pronounced id-jit), the Internet of Gratuitously Connected Insecure Things.