Security flaws in internet-connected hot tubs exposed owners’ personal data

A security researcher found vulnerabilities in Jacuzzi’s SmartTub interface that allowed access to the personal data of every hot tub owner.

Jacuzzi’s SmartTub feature, like most Internet of Things (IoT) systems, lets users connect to their hot tub remotely via a companion Android or iPhone app. Marketed as a “personal hot tub assistant,” users can make use of the app to control water temperature, switch on and off jets, and change the lights.

But as documented by hacker Eaton Zveare, this functionality could also be abused by threat actors to access the personal information of hot tub owners worldwide, including their names and email addresses. It’s unclear how many users are potentially impacted, but the SmartTub app has been downloaded more than 10,000 times on Google Play.

The main concern is their name and email being leaked,” Zveare told TechCrunch, adding that attackers could also potentially heat up someone else’s hot tub or change the filtration cycles. “That would make things unpleasant the next time the person checked their tub,” he said. “But I don’t think there is anything truly dangerous that could have been done — you have to do all chemicals by hand.

Eaton first noticed a problem when he tried to log in using the SmartTub web interface, which uses third-party identity provider Auth0, and found that the login page returned an “unauthorized” error. But for the briefest moment Zveare saw the full admin panel populated with user data flash on his screen.

“Blink and you’d miss it. I had to use a screen recorder to capture it,” Zveare said. “I was surprised to discover it was an admin panel populated with user data. Glancing at the data, there is information for multiple brands, and not just from the U.S.” These brands include others under different Jacuzzi brands, including Sundance Spa, D1 Spas and ThermoSpas.

Eaton then tried to bypass the restrictions and obtain full access. He used a tool called Fiddler to intercept and modify some code that told the website that he was an admin rather than an ordinary user. The bypass was successful, enabling Zveare to access the admin panel in full.

“Once into the admin panel, the amount of data I was allowed to [access] was staggering. I could view the details of every spa, see its owner and even remove their ownership,” he said. “It would be trivial to create a script to download all user information. It’s possible it’s already been done.”

Things got worse when Zveare discovered a second admin panel while reviewing the source code of the Android app allowing him to view and modify the serial numbers of products, see a list of licensed hot tub dealers and view manufacturing logs.

Zveare contacted Jacuzzi to alert them to the vulnerabilities, beginning with an initial notification just hours after discovering the flaws on December 3. Zveare received a response asking for more details three days later. But after one month of no further communication, Zveare enlisted the help of Auth0, which reached out to Jacuzzi and got it to shut down the vulnerable SmartTub admin panel. The second admin panel was eventually fixed on June 4, despite no formal acknowledgement from Jacuzzi that they have addressed the issues.

“After multiple contact attempts through three different Jacuzzi/SmartTub email addresses and Twitter, a dialog was not established until Auth0 stepped in,” said Zveare. “Even then, communication with Jacuzzi/SmartTub eventually dropped off completely, without any formal conclusion or acknowledgment they have addressed all reported issues.”

As noted by Zveare, Jacuzzi is incorporated in California, which has data breach notification and Internet of Things security laws. The latter requires manufacturers of connected devices to include “reasonable security feature[s]” in all such devices sold or offered for sale in California, specifically those devices capable of connecting directly or indirectly to the internet.

TechCrunch contacted Jacuzzi for comment, but the company did not respond.