In what may go down in history as one of the most bizarre hacks in recent memory, a researcher has succeeded in hacking into the backend of a number of Jacuzzi smart hot tubs.
EatonWorks, a security research company, found a number of security flaws in their own SmartTub and chose to investigate them.
The SmartHome hub can manage temperature and other features of your tub from a distance using a smartphone. This is the same easy selling point that comes with all internet of things (IoT) gadgets.
Eaton initially became aware that there was an issue with their SmartTub when they attempted to log in to one of the service’s websites by employing a password manager. They were on the incorrect website, and he received a screen indicating that he was not permitted to enter the site.
Smart jacuzzis hacked https://t.co/7J1hwSBKHY https://t.co/hx4oGpPERC
— Boing Boing (@BoingBoing) June 21, 2022
Eaton stated on his blog that immediately before that message appeared, he noticed a header and table momentarily flash on his screen. “If you blinked, you would have missed it. In order to film it, I had to resort to using a screen recorder”. It came as a shock to Eaton that it was an administrative panel that contained data from users. A quick glance at the data reveals that there is information for numerous brands and not just those that are sold in the United States.
Vice had more on the eye-raising story:
"*" indicates required fields
Then Eaton used a program called Fiddler to intercept and modify some code that told the website they were an admin, not just a user. They were in, and could see a wealth of information about Jacuzzi owners from around the world. “Once into the admin panel, the amount of data I was allowed to was staggering. I could view the details of every spa, see its owner and even remove their ownership,” he said. “Please note that no operations were attempted that would actually change any data. Therefore, it’s unknown if any changes would actually save. I assumed they would, so I navigated carefully.”
Eaton told Motherboard this was all pretty easy. “Compared to a lot of other things I have done, this was easy,” they told Motherboard in an email. “I do a lot of stuff with console mods, and my most recent release there was a patch/hack to upgrade Xbox 360’s USB support. That was much more difficult than just downloading a JS file and changing a few lines.”
If hackers are able to access Jacuzzi worldwide how much more can terrorist organizations be able to hack into electronics within hospitals, schools, and just like in the movie cars.
Always be careful when sharing your personal info with your hot tub. https://t.co/rCWry3jy1z
— Motherboard (@motherboard) June 21, 2022
Hollywood production movies have been big on hacking movies in the last decade and most of the movies they produce are closer to reality than we think. The last Fast and Furious movie depicted a scene of thousands of cars being hacked in NYC and wreaking major havoc. Take a look:
A teenager from Germany has already reportedly hacked into 25 Teslas so it appears the movies we watch aren’t really based on imagination at this point but really our reality waiting to happen.