Tens of thousands of hot tubs are exposed to hack

Experts from security firm Pen Test Partners reported that tens of thousands of hot tubs are currently vulnerable to cyber attacks.

Security experts at Pen Test Partners have discovered thousands of connected hot tubs vulnerable to remote cyber attacks. The hot tubs could be remotely controlled by an app, dubbed Balboa Water App, that lack of authentication mechanisms.

“The mobile app connects to a Wi-Fi access point on the tub. We bought a few spares for research” reads the analysis published by Pen Test Partners..

“Like most internet of things devices, the Wi-Fi module acts initially as in AP mode. The mobile app can connect as a client and control the tub locally. However, it can also configure the tub controller to be a client on your home network, so remote control from anywhere is possible through an API.”

Experts reported that tens of thousands of hot tubs are currently vulnerable to cyber attacks.

The researchers were able to search for vulnerable hot tubs using the wigle.net database, they located several devices that were in AP mode.

The unprotected devices can be easily hacked because the AP is open and no PSK is used. An attacker could hack into the hot tubs in the nearby or remotely.

An attacker can remotely control the heat of the hot tubs causing severe problems to the owners.

“it’s easy to turn your temperature down so your tub becomes unusable. It’s also easy to heat it continuously, wasting electricity.” continues the experts.

“Blowers are also only turned on when someone is in the tub, so the hacker can figure out if you’re in the tub at the time. Creepy.”

Pen Test Partners reported the issue to Balboa Water Group on 28^th November, asking for an acknowledgement to responsibly disclose it. Unfortunately, they received no reply We had no reply.

The experts reported the flaw to the BBC, then Balboa Water Group responded to the broadcaster that in 5 years none of the users have complained so far.

“BWG told the BBC that it had been “surprised” to learn of the flaw as its app had been available for five years during which users had not reported any problems.” reported the BBC.

“It said it was working with more than 1,000 owners in the UK and others globally to set up a system of individual usernames and passwords to secure the online controls. It said it had previously opted not to do so because it had wanted to “allow for simple and easy use and activation” by homeowners.”A

Researchers pointed out that the cloud service used to manage the tubs, iDigi, also manages the control of other smart devices, including healthcare appliances. Unfortunately, similar problems were observed also for these devices.

The manufacturer Balboa Water Group plans to release an update by the end of February, meantime the owners of hot tubs are recommended to disable any remote control function.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – IoT, hacking)

[adrotate banner=”5″] [adrotate banner=”13″]