[German]Jacuzzi whirlpools are also widespread. Some models are equipped with a SMARTTUB® system and can be managed remotely via smartphone (Android, iPhone). A user who had bought such a model wondered about an error in the access management portal during commissioning. During his investigation, he came across a vulnerability that revealed the access data of other users. The manufacturer's response to a report was anything but exhilarating.
Advertising
Jacuzzi® is considered the inventor of the whirlpool and its products are offered worldwide. Some whirlpools has a feature called SmartTub(TM). Remote monitoring of the JACUZZI® WHIRLPOOL is possible via smartphone. The following screenshot shows the manufacturer's statements regarding these functions.
Sounds good, and it remains to be hoped that this IoT environment is safe for customers.
Surprise for owners
I became aware of the situation via the following tweet from Catalin Cimpanu. A Twitter user with the handle @XeEaton had ordered a Jacuzzi® hot tub and also ordered the SmartTub(TM) option there.
Advertising
When he went to put the device into operation, he got an unpleasant surprise, as he reports in this tweet and in the post Hacking into the worldwide Jacuzzi SmartTub networ. After assembly and pairing/activation by the dealer, he created an account with the app in question and started playing around with it. He added the account password to the password manager and checked which website/URL to associate with it. The account confirmation email came from smarttub.io, so he used that site.
He then went to the smarttub.io and tried to log in there. SmartTub uses Auth0 for its login and user account system. When he tried to log in, he was rejected with an "Unauthorized" message. But just before that error message, a table flashed up along with a header line that immediately disappeared before he could read it. So he used a screen recorder to record the pages that appeared. The man was quite surprised when he realized that it was an administrative console. This was according to the screenshot in the above tweet filled with user data of the owners, which was a HotTub(TM).
A look at the data showed that there was information for several brands – not just from the US. There are some @jacuzzi.eu emails and one @hotmail.co.uk email. That alone would be a violation of the GDPR (and also California's privacy laws). With a bit of searching in the source code, he was able to access the admin portal of the management console and log in. He then had access to the entire inventory of registered SmartTub(TM) accounts. He could see the owners and even revoke their ownership. Moreover, he gained further access to another administrator account and was even able to view production data – the whole thing was poorly secured.
He reported the security issue to the manufacturer on December 3, 2021, but there was no response. The owner tried to notify the manufacturer by email on other days, but had no success. He even tried to involve Auth0 support in the case, since Jacuzzi uses their authentication – but again, no success. To date, it seems he has not heard back from the vendor, but noted that the second administrator account has been secured silently in the meantime. Then, on June 20, 2022, he disclosed the details in the post Hacking into the worldwide Jacuzzi SmartTub network. The incident again shows that many manufacturers have a very poor grip on their IoT stories and customer portals. The problem is that tips are then not acted upon.
Advertising
Yes thank very much