Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security

Hot Tub Hack Reveals Washed-up Security Protection (bbc.com) 69

Thousands of hot tubs can be hacked and controlled remotely because of a hole in their online security, BBC Click has revealed. From a report: Researchers showed the TV programme how an attacker could make the tubs hotter or colder, or control the pumps and lights via a laptop or smartphone. Vulnerable tubs are designed to let their owners control them with an app. But third-party wi-fi databases mean hackers can home in on specific tubs by using their GPS location data. Balboa Water Group (BWG), which runs the affected system, has now pledged to introduce a more robust security system for owners and said the problem would be fixed by the end of February.

Pen Test Partners -- the UK security company that carried out the research -- warned that hot tubs were not the only household items at risk. Founder Ken Munro said that many Christmas gifts people would receive this year would connect to the internet and offer remote control through apps. "Manufacturers still are not taking security seriously enough, and until they do consumers have to be very vigilant," he said. "We recommend users reset any default passwords the device has immediately with a unique one of their own."

This discussion has been archived. No new comments can be posted.

Hot Tub Hack Reveals Washed-up Security Protection

Comments Filter:
  • IoT (Score:3, Insightful)

    by Anonymous Coward on Tuesday December 25, 2018 @02:29PM (#57858224)

    IoT - the rush for every manufacture to strap a computer to their thing and connect it to the internet and their walled garden platform.

    IoT guys need to get together with open standards and push for things like OTA updates and security reviewed libraries. In their rush to create walled gardens. They are creating an oasis of hacks just waiting to be found.

    How bad is it? Much worse then you think. Think of protocols that are sort of standard. No encryption. No authentication. Nothing. Then go hang that out on the internet behind a password page using state of the art tech from 1995 (if your lucky). Then even *if* there is some sort of security update thing. It is for maybe 1-2 years. So suddenly my 2k in outlay for hardware hubs and repeaters is useless because it is already at EOL. I own a 'smart TV' from 2009. None of the smart features work anymore. The TV is just fine though.

    • Re:IoT (Score:5, Insightful)

      by ctilsie242 ( 4841247 ) on Tuesday December 25, 2018 @04:04PM (#57858614)

      As someone who has worked for an IoT company, a lot of companies actually build in insecurity:

      1: If there is a major show stopper that hits customers, causing lawsuits, the top brass shorts their stock the day before the announcements. They laugh all the way to the bank.

      2: Unfixable security issues force customers to re-buy everything. The more issues that are unpatchable, the more revenue an IoT provider gets. Especially if the IoT devices are designed to be resistant to "jailbreaking", so they can't be patched via third parties.

      3: IoT devices sending up a constant telemetry stream can make more cash than the device itself, especially to advertisers.

      Want to know how to have IoT devices have a lot better security? Not hard:

      1: Have a dedicated IoT firewall hub. This hub only allows communication as per signed manifest files. This way, if a device only communicates via HTTPS to a load balancer for updates, and suddenly starts phoning home to Lower Elbonia, that will be blocked. Of course, a lot of IoT providers will just do 0.0.0.0/255.255.255.255 for a netmask of permissive sites, but will be a cause of public humilation.

      2: Have the IoT firewall hub communicate in an offline state, similar to UUCP forwarding. That way, the IoT hub grabs updates and offers them available for devices. Since there is no direct access to the devices, it becomes difficult to attack them without physical access.

      3: Have something similar to UL, or Sold Secure, where devices get tested by an independent group and given a certification that they passed white box, black box, and other security attempts.

      • With your third option to have something like UL to check devices don't you think companies would game the system just like some car companies did with emissions testing. (It wasn't just VW.) They'd send in a test system that didn't do the bad behaviours that were being checked for. Once they got the got the approval to sell the device they'd make sure the behaviour was turned on again and ship. Or have some way of detecting that the testing was being performed.

        • No. For cars, it makes sense to send a "clean" car for emissions testing, and then sell a "dirty but efficient" car to the public. That way the regulators see low emissions, the customers get good milage, and everyone is happy.

          For IoT security, this makes no sense. It is only more expensive to design good security. Once you have it, it would make no sense to put in only the test unit. Since software has zero marginal cost, why not deploy it in every unit sold?

  • Not for me thanks (Score:5, Insightful)

    by AndyKron ( 937105 ) on Tuesday December 25, 2018 @02:45PM (#57858270)
    Why the hell does a hot tub need blue tooth and GPS data? Answer: They don't.
    • by Anonymous Coward

      I'd rather mine have a TPS (Temporal Positioning System) for when my buddies want to do some time travelling.

    • Well, it depends...

      I’m with you on GPS. But I can see wanting remote control and data to my smartphone if my hot tub is outdoors in the winter. I can turn it on from the warm house and be able to know when the tub is actually hot before going outside.

      • Well, it depends...

        I’m with you on GPS. But I can see wanting remote control and data to my smartphone if my hot tub is outdoors in the winter. I can turn it on from the warm house and be able to know when the tub is actually hot before going outside.

        Modern spas do much better when turned on, set the temp, and leave it there. About the only time to change that is if you are going away for a few weeks, then at least on my spa, you walk over, activate the control panel, and turn the temperature down.

        Years ago, like the 1990's they suggested cycling the temperature. Didn't work all that great for the equipment, and you had to decide when you were setting up the cycling programming when you were going into the tub. Meh. That turned out to really suck. G

    • Why the hell does a hot tub need blue tooth and GPS data?

      Because if you can turn it on remotely, from work or wherever, only on the days you decide to use it, then you don't need to leave it on all the time. This saves money and reduces CO2 emissions.

      A remotely controlled hot tub is a sensible convenience. It just needs to be done securely.

    • just don't put the date in the temp field

  • by Anonymous Coward on Tuesday December 25, 2018 @03:09PM (#57858360)

    Dilbert: Good morning, shower!
            Automated Shower Machine: Good morning, Dilbert!
            Dogbert: Hmm, don't you do enough engineering at work?
            Dilbert: Work is just meetings, this is engineering. If this works, someday all showers will be voice activated.
            Dogbert [sitting on a stool]: Is it that hard to turn the knobs?
            Dilbert: It's not that it's hard, it's unnecessary. [To ASM] 99, please.
            ASM: 99. [shower turns on at 99 degrees; Dilbert steps inside]
            Dogbert [aside]: 400.
            [The ASM does nothing]
            Dilbert: Heh-heh, nice try. But the shower is calibrated to respond to my voice only.
            Dogbert: Why, you think of everything!
            Dilbert: I'm cautious.
            Dogbert: That's why you had training wheels on your bike until you were 17.
            Dilbert: I was 14.
            ASM: 14. [makes the shower temperature 14 degrees]
            Dilbert: AAAAAAAAHHHHHHHH! [is frozen in a block of ice] 99! 99! 99! [shower goes back to 99 degrees, as the ice melts] Don't do that!
            Dogbert: Where'd you get the voice for that thing? It sounds like the voice for that stupid movie; what was it called, "something, something, a Space Odyssey"?
            Dilbert: It wasn't "Something, something, a Space Odyssey", it was "2001: A Spa-" [cut to the exterior of the house, as the ASM evidently makes the shower temperature 2001 degrees] AAAAAAAAGGGGGGHHHHH!!!
            [back inside, a red-skinned Dilbert wraps a towel around himself, which then catches on fire as he walks off-screen]
            Dogbert: On the plus-side, you look very clean.

  • by 93 Escort Wagon ( 326346 ) on Tuesday December 25, 2018 @03:36PM (#57858500)

    So where’s the hack that turns the Hot Tub into a Time Machine?

  • by grumpy-cowboy ( 4342983 ) on Tuesday December 25, 2018 @03:47PM (#57858538)
    I work in IT for 23 years now and I don't understand this obsession with IoT !
    Are you to lazy to turn off your lights yourself? To use a simple programmable
    thermostat? You really want to bug your home with a Google Home/Amazon Alexa/...
    or any other IoT gadget "du jour" to be spied on 24/7? Yes I have a cell phone.
    This is the only "connected" device I have. Not a single IoT device will ever
    enter in my house.

    On the next IoT devices hack, the next state-sponsored privacy invasion scandal
    or the next Amazon/Google/Nest/... and now Hot Tub manufacturers (WTF!!) leaks
    all private data collected by their connected devices, I'll open a bag of
    popcorn and watch it from my "not so cool" analog but peaceful life. :)

    • by Anonymous Coward

      I work in IT for 23 years now and I don't understand this obsession with IoT !

      Q.E.D.

      Nor, it seems, do you understand proportional fonts.

      • Re:IoT obsession! (Score:4, Informative)

        by fredrated ( 639554 ) on Tuesday December 25, 2018 @04:18PM (#57858654) Journal

        Old-time programmers like me don't like proportional fonts, we like to have columns line up as an additional check on code accuracy.

        • by Anonymous Coward

          Totally agree, when writing code. When communicating, proportional fonts were de rigueur in the 11th century with the invention of moveable type. Since then, using monospaced fonts degrades written, non-code communication.

    • by account_deleted ( 4530225 ) on Tuesday December 25, 2018 @04:20PM (#57858660)
      Comment removed based on user account deletion
      • by Strider- ( 39683 )

        I'm in IT for 35 years now and I can't agree more. What's this obsession with IoT? It's totally ludicrous. It's the Internet of Trouble.

        On the other hand it can be quite helpful of done right. Computers are very good at monitoring things and doing consistently for long periods of time. I work with an organization that operates a camp in the wilderness. We've instrumented or walk in freezers and refrigerators so that they alarm and/or email us if the temperatures go out of whack (or the refrigeration units fail), we've put in flood detection systems in the basements of buildings that aren't used in the winter, freeze detection in sensitive p

        • > I don't get why more /.'s are not making their own.

          I'd guess it's because most "IT people" really aren't that much into technology.

          Forget about hobby electronics. Most software engineers I've worked with use the pre-installed OS on their pre-built computer. Maybe they'll change the desktop background.

      • I run a houseful of IoT sensors The app will bing a notification on my phone if something leaks or catches fire. All of the information flows one way, though. I'm not currently using the system to control anything.

      • I'm in IT for 35 years now and I can't agree more!

        So one geezer agreed with another that new fangled stuff is unnecessary, and we should go back to the good ole' days of floppies and dot-matrix printers.

        Also, "being in IT" does not make you an expert on the convenience of the design of interfaces to household appliances. If anything, it should disqualify you.

    • by gweihir ( 88907 )

      It is not actually an obsession with IoT, but something far darker: It is an obsession with money and any demented hype is good enough to make it.

    • by sad_ ( 7868 )

      and we know that, no matter how we try, there will always be security holes. why would you want to take any risks in that?
      and let's not go down the path of software going obsolete, why wants to replace his fridge, tv, bath, lights, ... each time the app is no longer supported and stops working or the protocol is no longer supported, etc. etc.
      also everything is easy to understand now, put some connected systems in the mix and enjoy troubleshooting why your light wont turn on when the fridge detects you're ru

  • The only problem I see with all these IoT devices is that they insist on internet access. If it isn't online, it can't be remotely hacked. You don't need security updates if it isn't able to reach, or be reached by, the internet. Oh, you want to run it remotely yourself, say from work or while on vacation? Fine. ever hear of a VPN? I have lights, plugs, and various other devices that I firewalled off from anywhere but my local net. I can control any of them from anywhere I have internet access, just by firs

  • by bjwest ( 14070 )
    If you're stupid enough to buy a hot tub and connect it to the internet, you deserve to be boiled alive. WHY IN THE FUCK would anyone need this kind of shit?!?
  • You're going to get into it. You walk out, and turn it up that morning.

    But you really, really want some 16-yr-old idiot who thinks he's k3wl to turn it off, or turn it to parboil, right?

    As the lady wrote, the IGCIT (pronounced id-jit), the Internet of Gratuitously Connected Insecure Things.

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...