UK Security Firm Uncovers Hot Tub Remote Hack Flaw

A British security group has uncovered a way to hack hot tubs via an app that included no authentication.

Buckhinghamshire-based Pen Test Partners said the lack of security meant that roughly 26,000 hot tubs around the world could be controlled remotely by anyone who cared to carry out a search on a hacking database called wigle.net.

The database includes geolocation data that allows anyone to look up where a device is physically located.

Hackers could control the tubs from anywhere in the world over the internet, or by connecting to the Wi-Fi access point of a local tub after stationing themselves nearby.

Remote control

The tubs’ temperature could be remotely altered and the water pumps could be turned on and off.

“Blowers are also only turned on when someone is in the tub, so the hacker can figure out if you’re in the tub at the time. Creepy,” Munro wrote.

The researchers said cloud service iDigi, which controls the tubs, also controls smart healthcare appliances, and that similar issues were endemic in the market for internet-connected consumer devices.

“Consumer IoT (Internet of Things) security is not in a good place,” said founder Ken Munro in a blog post. “These findings underline that.”

Balboa Water Group, which makes the tubs in question, did not respond after being contacted by the researchers, but told the BBC it had chosen not to include authentication with the smartphone hot tub control app for ease of use.

Update

The company said it was working with more than 1,000 tub owners in the UK and others elsewhere to add authentication to the app.

Munro said if users were concerned about the issue they shouldn’t use the remote control function until Balboa has updated the app, which it expects to do by the end of February.

He said that it could remain possible for hackers to log into the tub’s Wi-Fi network from nearby unless the Wi-Fi module was physically removed.

Munro added that many Christmas gifts are likely to include unsecured internet-based features, and recommended users to change any default passwords devices may have.