Hot Tub Hack Reveals Washed-up Security Protection (bbc.com)

← Back to Stories (view on slashdot.org)

Hot Tub Hack Reveals Washed-up Security Protection (bbc.com)

Posted by msmash on Tuesday December 25, 2018 @07:10AM from the security-woes dept.

Thousands of hot tubs can be hacked and controlled remotely because of a hole in their online security, BBC Click has revealed. From a report: Researchers showed the TV programme how an attacker could make the tubs hotter or colder, or control the pumps and lights via a laptop or smartphone. Vulnerable tubs are designed to let their owners control them with an app. But third-party wi-fi databases mean hackers can home in on specific tubs by using their GPS location data. Balboa Water Group (BWG), which runs the affected system, has now pledged to introduce a more robust security system for owners and said the problem would be fixed by the end of February.

Pen Test Partners -- the UK security company that carried out the research -- warned that hot tubs were not the only household items at risk. Founder Ken Munro said that many Christmas gifts people would receive this year would connect to the internet and offer remote control through apps. "Manufacturers still are not taking security seriously enough, and until they do consumers have to be very vigilant," he said. "We recommend users reset any default passwords the device has immediately with a unique one of their own."

41 of 69 comments (clear)

Min score:

Reason:

Sort:

IoT by Anonymous Coward · 2018-12-25 07:29 · Score: 3, Insightful

IoT - the rush for every manufacture to strap a computer to their thing and connect it to the internet and their walled garden platform.
IoT guys need to get together with open standards and push for things like OTA updates and security reviewed libraries. In their rush to create walled gardens. They are creating an oasis of hacks just waiting to be found.
How bad is it? Much worse then you think. Think of protocols that are sort of standard. No encryption. No authentication. Nothing. Then go hang that out on the internet behind a password page using state of the art tech from 1995 (if your lucky). Then even *if* there is some sort of security update thing. It is for maybe 1-2 years. So suddenly my 2k in outlay for hardware hubs and repeaters is useless because it is already at EOL. I own a 'smart TV' from 2009. None of the smart features work anymore. The TV is just fine though.
1. Re:IoT by ctilsie242 · 2018-12-25 09:04 · Score: 4, Insightful
  
  As someone who has worked for an IoT company, a lot of companies actually build in insecurity:
  1: If there is a major show stopper that hits customers, causing lawsuits, the top brass shorts their stock the day before the announcements. They laugh all the way to the bank.
  2: Unfixable security issues force customers to re-buy everything. The more issues that are unpatchable, the more revenue an IoT provider gets. Especially if the IoT devices are designed to be resistant to "jailbreaking", so they can't be patched via third parties.
  3: IoT devices sending up a constant telemetry stream can make more cash than the device itself, especially to advertisers.
  Want to know how to have IoT devices have a lot better security? Not hard:
  1: Have a dedicated IoT firewall hub. This hub only allows communication as per signed manifest files. This way, if a device only communicates via HTTPS to a load balancer for updates, and suddenly starts phoning home to Lower Elbonia, that will be blocked. Of course, a lot of IoT providers will just do 0.0.0.0/255.255.255.255 for a netmask of permissive sites, but will be a cause of public humilation.
  2: Have the IoT firewall hub communicate in an offline state, similar to UUCP forwarding. That way, the IoT hub grabs updates and offers them available for devices. Since there is no direct access to the devices, it becomes difficult to attack them without physical access.
  3: Have something similar to UL, or Sold Secure, where devices get tested by an independent group and given a certification that they passed white box, black box, and other security attempts.
2. Re:IoT by CanadianMacFan · 2018-12-25 10:09 · Score: 1
  
  With your third option to have something like UL to check devices don't you think companies would game the system just like some car companies did with emissions testing. (It wasn't just VW.) They'd send in a test system that didn't do the bad behaviours that were being checked for. Once they got the got the approval to sell the device they'd make sure the behaviour was turned on again and ship. Or have some way of detecting that the testing was being performed.
3. Re:IoT by ctilsie242 · 2018-12-25 10:52 · Score: 1
  
  [Citation Needed]. China has things to disparage it, but banning encryption is something I have yet to actually see as a law. I personally prefer having IoT stuff made from other sources than China (the ye old China +1 methodology), but I'd rather aim criticism accurately.
  Of course, in China, any venture on their soil has to be 51% or more owned by a domestic firm, and domestic firms have Chinese government officials on board, but I wouldn't say encryption is directly banned.
4. Re:IoT by ShanghaiBill · 2018-12-25 11:32 · Score: 1
  
  No. For cars, it makes sense to send a "clean" car for emissions testing, and then sell a "dirty but efficient" car to the public. That way the regulators see low emissions, the customers get good milage, and everyone is happy.
  For IoT security, this makes no sense. It is only more expensive to design good security. Once you have it, it would make no sense to put in only the test unit. Since software has zero marginal cost, why not deploy it in every unit sold?
5. Re:IoT by ctilsie242 · 2018-12-25 18:41 · Score: 1
  
  If I have to have an IoT device, there are precautions you can take. The best precaution is not to buy the device in the first place, or if it is a device like a smart TV, if it requires an internet connection to function, or it puts up a EULA, the TV goes back in the box and gets returned.
  1: Put it on its own VLAN, with its own internal IP space and different NAT. If you use 192.168, chuck it in a 172.16.x.x subnet, or a 10.x.x.x subnet. Hell, make the IP space 9.x.x.x, so the device thinks it is in some lab at IBM, as that internal IP doesn't matter to anyone but the device itself, and its masters.
  2: Firewall the living heck out of the VLAN. Geoblock everything. Log what the IoT device tries to communicate with. Does it need to have a constant outgoing tunnel to some site in Lower Elbonia? No, block it. In fact, it might be wise to buy a Raspberry Pi or another ARM based microcontroller and have that handle the ACLs so you can be sure nothing gets in or out that you don't explicitly want.
  3: Ideally, put each device on its separate VLAN with separate ACLs. That, or use the tiny ARM based firewalls with two network ports to handle firewalling on each port. This borders on overkill, but the devices can provide some interesting logs, potentially worth making public.
  4: It might be nice to have the router do a dedicated VPN link out just for that IoT VLAN, just so the IoT devices cannot geo-locate where they are accurately.
Not for me thanks by AndyKron · 2018-12-25 07:45 · Score: 4, Insightful

Why the hell does a hot tub need blue tooth and GPS data? Answer: They don't.
1. Re:Not for me thanks by Anonymous Coward · 2018-12-25 08:02 · Score: 1
  
  I'd rather mine have a TPS (Temporal Positioning System) for when my buddies want to do some time travelling.
2. Re:Not for me thanks by R3d+M3rcury · 2018-12-25 08:08 · Score: 1
  
  Well, it depends...
  I’m with you on GPS. But I can see wanting remote control and data to my smartphone if my hot tub is outdoors in the winter. I can turn it on from the warm house and be able to know when the tub is actually hot before going outside.
3. Re:Not for me thanks by ShanghaiBill · 2018-12-25 11:45 · Score: 1
  
  Why the hell does a hot tub need blue tooth and GPS data?
  Because if you can turn it on remotely, from work or wherever, only on the days you decide to use it, then you don't need to leave it on all the time. This saves money and reduces CO2 emissions.
  A remotely controlled hot tub is a sensible convenience. It just needs to be done securely.
4. Re:Not for me thanks by Ol+Olsoc · 2018-12-25 12:37 · Score: 2
  
  Well, it depends...
  I’m with you on GPS. But I can see wanting remote control and data to my smartphone if my hot tub is outdoors in the winter. I can turn it on from the warm house and be able to know when the tub is actually hot before going outside.
  Modern spas do much better when turned on, set the temp, and leave it there. About the only time to change that is if you are going away for a few weeks, then at least on my spa, you walk over, activate the control panel, and turn the temperature down.
  Years ago, like the 1990's they suggested cycling the temperature. Didn't work all that great for the equipment, and you had to decide when you were setting up the cycling programming when you were going into the tub. Meh. That turned out to really suck. Get home from work, and the wife says It's supposed to rain starting arounf 10 this evening, so let's hit the tub at 8:30, okay?
  You don't do that in a thermally cycled spa. Even so, our spa only loses about 4 degrees over a 12 hour period in the cold of winter. It's highly insulated and so is the cover. Manufacturer says set and forget.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
5. Re:Not for me thanks by DontBeAMoran · 2018-12-25 13:14 · Score: 1
  
  https://www.imdb.com/title/tt1...
  
  --
  #DeleteFacebook
6. Re: Not for me thanks by spire3661 · 2018-12-25 18:16 · Score: 1
  
  All Jacuzzis are hot tubs, not all hot tubs are Jacuzzis.
  
  --
  Good-bye
Re:Thank you again, Donald Jay TRUMP! by Known+Nutter · 2018-12-25 07:55 · Score: 1

I switched to -1 looking for this post and was not disappointed.

No mod points at the moment, so, bravo to you, sir! Irregardless of political position, I am happy to have seen this post. I just knew it would be here... and it was! What a time to be alive!

--
Beware of the Leopard.
Reminds me of Dilbert skit by Anonymous Coward · 2018-12-25 08:09 · Score: 5, Funny

Dilbert: Good morning, shower!
Automated Shower Machine: Good morning, Dilbert!
Dogbert: Hmm, don't you do enough engineering at work?
Dilbert: Work is just meetings, this is engineering. If this works, someday all showers will be voice activated.
Dogbert [sitting on a stool]: Is it that hard to turn the knobs?
Dilbert: It's not that it's hard, it's unnecessary. [To ASM] 99, please.
ASM: 99. [shower turns on at 99 degrees; Dilbert steps inside]
Dogbert [aside]: 400.
[The ASM does nothing]
Dilbert: Heh-heh, nice try. But the shower is calibrated to respond to my voice only.
Dogbert: Why, you think of everything!
Dilbert: I'm cautious.
Dogbert: That's why you had training wheels on your bike until you were 17.
Dilbert: I was 14.
ASM: 14. [makes the shower temperature 14 degrees]
Dilbert: AAAAAAAAHHHHHHHH! [is frozen in a block of ice] 99! 99! 99! [shower goes back to 99 degrees, as the ice melts] Don't do that!
Dogbert: Where'd you get the voice for that thing? It sounds like the voice for that stupid movie; what was it called, "something, something, a Space Odyssey"?
Dilbert: It wasn't "Something, something, a Space Odyssey", it was "2001: A Spa-" [cut to the exterior of the house, as the ASM evidently makes the shower temperature 2001 degrees] AAAAAAAAGGGGGGHHHHH!!!
[back inside, a red-skinned Dilbert wraps a towel around himself, which then catches on fire as he walks off-screen]
Dogbert: On the plus-side, you look very clean.
1. Re:Reminds me of Dilbert skit by Applehu+Akbar · 2018-12-25 12:12 · Score: 1
  
  I'm afraid I can't install that, Dave.
Re:What is the use case? by Calydor · 2018-12-25 08:30 · Score: 2

Get it started up before you get home, perhaps?

--
-=This sig has nothing to do with my comment. Move along now=-
Not the hack I’m looking for by 93+Escort+Wagon · 2018-12-25 08:36 · Score: 2

So where’s the hack that turns the Hot Tub into a Time Machine?

--
#DeleteChrome
IoT obsession! by grumpy-cowboy · 2018-12-25 08:47 · Score: 3

I work in IT for 23 years now and I don't understand this obsession with IoT ! Are you to lazy to turn off your lights yourself? To use a simple programmable thermostat? You really want to bug your home with a Google Home/Amazon Alexa/... or any other IoT gadget "du jour" to be spied on 24/7? Yes I have a cell phone. This is the only "connected" device I have. Not a single IoT device will ever enter in my house. On the next IoT devices hack, the next state-sponsored privacy invasion scandal or the next Amazon/Google/Nest/... and now Hot Tub manufacturers (WTF!!) leaks all private data collected by their connected devices, I'll open a bag of popcorn and watch it from my "not so cool" analog but peaceful life. :)

--
Will $CURRENT_YEAR be the year of the Linux Desktop?
1. Re:IoT obsession! by Anonymous Coward · 2018-12-25 08:58 · Score: 1
  
  I work in IT for 23 years now and I don't understand this obsession with IoT !
  
  Q.E.D.
  Nor, it seems, do you understand proportional fonts.
2. Re:IoT obsession! by fredrated · 2018-12-25 09:18 · Score: 3, Informative
  
  Old-time programmers like me don't like proportional fonts, we like to have columns line up as an additional check on code accuracy.
3. Re:IoT obsession! by scsirob · 2018-12-25 09:20 · Score: 3
  
  I'm in IT for 35 years now and I can't agree more. What's this obsession with IoT? It's totally ludicrous. It's the Internet of Trouble.
  I wouldn't be surprised if the Chinese actually make the firmware so crappy on purpose. We are allowing the Chinese to carpet-bomb our society with millions of backdoored, easily hackable connected devices, allowing a coördinated attack on essential infrastructure, and (to stay in the Trump-bash mode), we pay for it ourselves!
  
  --
  To Terminate, or not to Terminate, that's the question - SCSIROB
4. Re:IoT obsession! by Anonymous Coward · 2018-12-25 09:36 · Score: 1
  
  Totally agree, when writing code. When communicating, proportional fonts were de rigueur in the 11th century with the invention of moveable type. Since then, using monospaced fonts degrades written, non-code communication.
5. Re:IoT obsession! by gweihir · 2018-12-25 09:44 · Score: 1
  
  It is not actually an obsession with IoT, but something far darker: It is an obsession with money and any demented hype is good enough to make it.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
6. Re:IoT obsession! by Strider- · 2018-12-25 10:29 · Score: 1
  
  I'm in IT for 35 years now and I can't agree more. What's this obsession with IoT? It's totally ludicrous. It's the Internet of Trouble.
  
  On the other hand it can be quite helpful of done right. Computers are very good at monitoring things and doing consistently for long periods of time. I work with an organization that operates a camp in the wilderness. We've instrumented or walk in freezers and refrigerators so that they alarm and/or email us if the temperatures go out of whack (or the refrigeration units fail), we've put in flood detection systems in the basements of buildings that aren't used in the winter, freeze detection in sensitive places and so forth.
  Basically the systems are doing what our staff could do, but often gets neglected. Computers are very good at this.
  That said, none of these systems have access to the outside world and are deliberately segregated onto their own overlay network.
  
  --
  ...si hoc legere nimium eruditionis habes...
7. Re:IoT obsession! by Applehu+Akbar · 2018-12-25 12:16 · Score: 1
  
  I run a houseful of IoT sensors The app will bing a notification on my phone if something leaks or catches fire. All of the information flows one way, though. I'm not currently using the system to control anything.
8. Re:IoT obsession! by grumpy_old_grandpa · 2018-12-25 17:14 · Score: 1
  
  > I don't get why more /.'s are not making their own.
  I'd guess it's because most "IT people" really aren't that much into technology.
  Forget about hobby electronics. Most software engineers I've worked with use the pre-installed OS on their pre-built computer. Maybe they'll change the desktop background.
9. Re:IoT obsession! by sad_ · 2018-12-25 23:56 · Score: 1
  
  and we know that, no matter how we try, there will always be security holes. why would you want to take any risks in that?
  and let's not go down the path of software going obsolete, why wants to replace his fridge, tv, bath, lights, ... each time the app is no longer supported and stops working or the protocol is no longer supported, etc. etc.
  also everything is easy to understand now, put some connected systems in the mix and enjoy troubleshooting why your light wont turn on when the fridge detects you're running low on milk.
  
  --
  On a long enough timeline, the survival rate for everyone drops to zero.
Re: What is the use case? by Anonymous Coward · 2018-12-25 08:51 · Score: 1

> Hot tubs can take days to heat up
If it takes more than 12 hours, it's either defective or large enough for 20 people!
Do these things have a built-in camara by fredrated · 2018-12-25 10:20 · Score: 1

we can hack?
Re: What is the use case? by ShanghaiBill · 2018-12-25 11:41 · Score: 1

No. Hot tubs can take days to heat up
No they don't. A typical electric hot tub has a 4kw heater and holds 400 gallons. That is about 5F or 3C per hour.
A gas heater is much faster.
Re: What is the use case? by Applehu+Akbar · 2018-12-25 12:10 · Score: 1

No. Hot tubs can take days to heat up, you'd turn it up before you left your house. It's more efficient to keep it at constant temp than to raise and lower it anyhow.
I had a home hot tub in the Eighties. Worst case, with electrical heating, it would take about 4-5 hours to heat up in the winter (lowland urban Arizona). Much faster than that with gas.
That was in the Eighties, but I can see a use case for an IoT hot tub today: an attached webcam that streams all activity to an escrowed server at your lawyer's office. Then if some PoundMeTooer accuses you of creepy behavior, you have video proof or what actually happened.
Re:What is the use case? by Ol+Olsoc · 2018-12-25 12:18 · Score: 1

Get it started up before you get home, perhaps?
Nah. My original hot tub did that, and it was a major pain in the ass. You had to plan a time that you were going into it, and if the weather was going to be bad at 10 p.m., so you thought it might be nice to go in at 7, it wasn't going to be warm enough.
My present tub is really well insulated, and we keep it at a constant 104 degrees F. The UV bacteria control needs to cycle regularly as well. Just set the control panel with the mode, no need to have it exposed on the internet.
About the only reason to put the thing on the internet is so that you can brag about it being on the internet.

--
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Re: What is the use case? by Ol+Olsoc · 2018-12-25 12:28 · Score: 1

No. Hot tubs can take days to heat up, you'd turn it up before you left your house. It's more efficient to keep it at constant temp than to raise and lower it anyhow.
Everything you said is 100% wrong. Yes, i would like fries with that, Skippy.
I have had spas since the mid 1990's, and only the earliest would use that abominable thermal cycling. The manufacturer even suggested that I set it and forget it on my latest tub. Constant thermal cycling of a water appliance like a spa isn't a good idea anyhow, from the standpoint of expansion and contraction of components.
As well, modern spas that aren't cheap hold their temps well. In the winter, our new outside tub will only drop maybe 4 degrees F over a 12 hour period as long as kept closed. Discovered this during a power failure.
AC is definitely wrong about heating time. I can fill mine with 50 degree F water, start it up, and have it at 104 degrees F in about 6 hours.

--
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Re:so are there smart dildos by Ol+Olsoc · 2018-12-25 12:41 · Score: 1

imagine the meyhem LOL
Ask and ye shall receive! http://www.therabbitvibrator.c...

--
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Re: What is the use case? by DontBeAMoran · 2018-12-25 13:13 · Score: 1

AC is definitely wrong about heating time. I can fill mine with 50 degree F water, start it up, and have it at 104 degrees F in about 6 hours.
... and have 50kg of pasta ready about 2 hours after that?

--
#DeleteFacebook
to go back in time by Joe_Dragon · 2018-12-25 14:43 · Score: 1

just don't put the date in the temp field
Simple Solution by spaceman375 · 2018-12-25 15:34 · Score: 1

The only problem I see with all these IoT devices is that they insist on internet access. If it isn't online, it can't be remotely hacked. You don't need security updates if it isn't able to reach, or be reached by, the internet. Oh, you want to run it remotely yourself, say from work or while on vacation? Fine. ever hear of a VPN? I have lights, plugs, and various other devices that I firewalled off from anywhere but my local net. I can control any of them from anywhere I have internet access, just by first joining my personal, private, as secured as I can make it, VPN. Suddenly my phone or laptop are local, and I can reach my devices just fine. One attack surface, not dozens. Yes, "smart" speakers need access to work, fine, they can have it. But a hot tub? My lights? A simple plug? If it won't work without sending my usage and god knows what else back to the manufacturer, I won't buy it.
BTW, TP-Link seems to be able to be local only without a problem. Very little else out there can make that claim, but I'd very much welcome more info on that, be it other brands that can be local only, or any caveat with the TP-Link brand.

--
On the one hand you take life too seriously, and on the other, you do not take playful existence seriously enough. Seth
Re: What is the use case? by Ol+Olsoc · 2018-12-25 16:34 · Score: 1

AC is definitely wrong about heating time. I can fill mine with 50 degree F water, start it up, and have it at 104 degrees F in about 6 hours.
... and have 50kg of pasta ready about 2 hours after that?
Well, Ramen noodles anyhow.

--
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Good. by bjwest · 2018-12-25 17:35 · Score: 1

If you're stupid enough to buy a hot tub and connect it to the internet, you deserve to be boiled alive. WHY IN THE FUCK would anyone need this kind of shit?!?

--

--- Keep the choice with the user..
And the reason your hot tub's 'Net-connected is? by whitroth · 2018-12-26 05:24 · Score: 1

You're going to get into it. You walk out, and turn it up that morning.
But you really, really want some 16-yr-old idiot who thinks he's k3wl to turn it off, or turn it to parboil, right?
As the lady wrote, the IGCIT (pronounced id-jit), the Internet of Gratuitously Connected Insecure Things.