Hot Tub Hack Reveals Washed-up Security Protection

Thousands of hot tubs can be hacked and controlled remotely because of a hole in their online security, BBC Click has revealed. From a report: Researchers showed the TV programme how an attacker could make the tubs hotter or colder, or control the pumps and lights via a laptop or smartphone. Vulnerable tubs are designed to let their owners control them with an app. But third-party wi-fi databases mean hackers can home in on specific tubs by using their GPS location data. Balboa Water Group (BWG), which runs the affected system, has now pledged to introduce a more robust security system for owners and said the problem would be fixed by the end of February.

Pen Test Partners -- the UK security company that carried out the research -- warned that hot tubs were not the only household items at risk. Founder Ken Munro said that many Christmas gifts people would receive this year would connect to the internet and offer remote control through apps. "Manufacturers still are not taking security seriously enough, and until they do consumers have to be very vigilant," he said. "We recommend users reset any default passwords the device has immediately with a unique one of their own."

IoT

IoT - the rush for every manufacture to strap a computer to their thing and connect it to the internet and their walled garden platform.

IoT guys need to get together with open standards and push for things like OTA updates and security reviewed libraries. In their rush to create walled gardens. They are creating an oasis of hacks just waiting to be found.

How bad is it? Much worse then you think. Think of protocols that are sort of standard. No encryption. No authentication. Nothing. Then go hang that out on the internet behind a password page using state of the art tech from 1995 (if your lucky). Then even *if* there is some sort of security update thing. It is for maybe 1-2 years. So suddenly my 2k in outlay for hardware hubs and repeaters is useless because it is already at EOL. I own a 'smart TV' from 2009. None of the smart features work anymore. The TV is just fine though.

Re:IoT

[ctilsie242]

As someone who has worked for an IoT company, a lot of companies actually build in insecurity:

1: If there is a major show stopper that hits customers, causing lawsuits, the top brass shorts their stock the day before the announcements. They laugh all the way to the bank.

2: Unfixable security issues force customers to re-buy everything. The more issues that are unpatchable, the more revenue an IoT provider gets. Especially if the IoT devices are designed to be resistant to "jailbreaking", so they can't be patched via third parties.

3: IoT devices sending up a constant telemetry stream can make more cash than the device itself, especially to advertisers.

Want to know how to have IoT devices have a lot better security? Not hard:

1: Have a dedicated IoT firewall hub. This hub only allows communication as per signed manifest files. This way, if a device only communicates via HTTPS to a load balancer for updates, and suddenly starts phoning home to Lower Elbonia, that will be blocked. Of course, a lot of IoT providers will just do 0.0.0.0/255.255.255.255 for a netmask of permissive sites, but will be a cause of public humilation.

2: Have the IoT firewall hub communicate in an offline state, similar to UUCP forwarding. That way, the IoT hub grabs updates and offers them available for devices. Since there is no direct access to the devices, it becomes difficult to attack them without physical access.

3: Have something similar to UL, or Sold Secure, where devices get tested by an independent group and given a certification that they passed white box, black box, and other security attempts.

Not for me thanks

[AndyKron]

Why the hell does a hot tub need blue tooth and GPS data? Answer: They don't.