Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hot Tub Hack Reveals Washed-up Security Protection (bbc.com)

Posted by msmash on from the security-woes dept.

Thousands of hot tubs can be hacked and controlled remotely because of a hole in their online security, BBC Click has revealed. From a report: Researchers showed the TV programme how an attacker could make the tubs hotter or colder, or control the pumps and lights via a laptop or smartphone. Vulnerable tubs are designed to let their owners control them with an app. But third-party wi-fi databases mean hackers can home in on specific tubs by using their GPS location data. Balboa Water Group (BWG), which runs the affected system, has now pledged to introduce a more robust security system for owners and said the problem would be fixed by the end of February.

Pen Test Partners -- the UK security company that carried out the research -- warned that hot tubs were not the only household items at risk. Founder Ken Munro said that many Christmas gifts people would receive this year would connect to the internet and offer remote control through apps. "Manufacturers still are not taking security seriously enough, and until they do consumers have to be very vigilant," he said. "We recommend users reset any default passwords the device has immediately with a unique one of their own."

10 of 69 comments (clear)

  1. IoT by Anonymous Coward · · Score: 3, Insightful

    IoT - the rush for every manufacture to strap a computer to their thing and connect it to the internet and their walled garden platform.

    IoT guys need to get together with open standards and push for things like OTA updates and security reviewed libraries. In their rush to create walled gardens. They are creating an oasis of hacks just waiting to be found.

    How bad is it? Much worse then you think. Think of protocols that are sort of standard. No encryption. No authentication. Nothing. Then go hang that out on the internet behind a password page using state of the art tech from 1995 (if your lucky). Then even *if* there is some sort of security update thing. It is for maybe 1-2 years. So suddenly my 2k in outlay for hardware hubs and repeaters is useless because it is already at EOL. I own a 'smart TV' from 2009. None of the smart features work anymore. The TV is just fine though.

    1. Re:IoT by ctilsie242 · · Score: 4, Insightful

      As someone who has worked for an IoT company, a lot of companies actually build in insecurity:

      1: If there is a major show stopper that hits customers, causing lawsuits, the top brass shorts their stock the day before the announcements. They laugh all the way to the bank.

      2: Unfixable security issues force customers to re-buy everything. The more issues that are unpatchable, the more revenue an IoT provider gets. Especially if the IoT devices are designed to be resistant to "jailbreaking", so they can't be patched via third parties.

      3: IoT devices sending up a constant telemetry stream can make more cash than the device itself, especially to advertisers.

      Want to know how to have IoT devices have a lot better security? Not hard:

      1: Have a dedicated IoT firewall hub. This hub only allows communication as per signed manifest files. This way, if a device only communicates via HTTPS to a load balancer for updates, and suddenly starts phoning home to Lower Elbonia, that will be blocked. Of course, a lot of IoT providers will just do 0.0.0.0/255.255.255.255 for a netmask of permissive sites, but will be a cause of public humilation.

      2: Have the IoT firewall hub communicate in an offline state, similar to UUCP forwarding. That way, the IoT hub grabs updates and offers them available for devices. Since there is no direct access to the devices, it becomes difficult to attack them without physical access.

      3: Have something similar to UL, or Sold Secure, where devices get tested by an independent group and given a certification that they passed white box, black box, and other security attempts.

  2. Not for me thanks by AndyKron · · Score: 4, Insightful

    Why the hell does a hot tub need blue tooth and GPS data? Answer: They don't.

    1. Re:Not for me thanks by Ol+Olsoc · · Score: 2

      Well, it depends...

      I’m with you on GPS. But I can see wanting remote control and data to my smartphone if my hot tub is outdoors in the winter. I can turn it on from the warm house and be able to know when the tub is actually hot before going outside.

      Modern spas do much better when turned on, set the temp, and leave it there. About the only time to change that is if you are going away for a few weeks, then at least on my spa, you walk over, activate the control panel, and turn the temperature down.

      Years ago, like the 1990's they suggested cycling the temperature. Didn't work all that great for the equipment, and you had to decide when you were setting up the cycling programming when you were going into the tub. Meh. That turned out to really suck. Get home from work, and the wife says It's supposed to rain starting arounf 10 this evening, so let's hit the tub at 8:30, okay?

      You don't do that in a thermally cycled spa. Even so, our spa only loses about 4 degrees over a 12 hour period in the cold of winter. It's highly insulated and so is the cover. Manufacturer says set and forget.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  3. Reminds me of Dilbert skit by Anonymous Coward · · Score: 5, Funny

    Dilbert: Good morning, shower!
            Automated Shower Machine: Good morning, Dilbert!
            Dogbert: Hmm, don't you do enough engineering at work?
            Dilbert: Work is just meetings, this is engineering. If this works, someday all showers will be voice activated.
            Dogbert [sitting on a stool]: Is it that hard to turn the knobs?
            Dilbert: It's not that it's hard, it's unnecessary. [To ASM] 99, please.
            ASM: 99. [shower turns on at 99 degrees; Dilbert steps inside]
            Dogbert [aside]: 400.
            [The ASM does nothing]
            Dilbert: Heh-heh, nice try. But the shower is calibrated to respond to my voice only.
            Dogbert: Why, you think of everything!
            Dilbert: I'm cautious.
            Dogbert: That's why you had training wheels on your bike until you were 17.
            Dilbert: I was 14.
            ASM: 14. [makes the shower temperature 14 degrees]
            Dilbert: AAAAAAAAHHHHHHHH! [is frozen in a block of ice] 99! 99! 99! [shower goes back to 99 degrees, as the ice melts] Don't do that!
            Dogbert: Where'd you get the voice for that thing? It sounds like the voice for that stupid movie; what was it called, "something, something, a Space Odyssey"?
            Dilbert: It wasn't "Something, something, a Space Odyssey", it was "2001: A Spa-" [cut to the exterior of the house, as the ASM evidently makes the shower temperature 2001 degrees] AAAAAAAAGGGGGGHHHHH!!!
            [back inside, a red-skinned Dilbert wraps a towel around himself, which then catches on fire as he walks off-screen]
            Dogbert: On the plus-side, you look very clean.

  4. Re:What is the use case? by Calydor · · Score: 2

    Get it started up before you get home, perhaps?

    --
    -=This sig has nothing to do with my comment. Move along now=-
  5. Not the hack I’m looking for by 93+Escort+Wagon · · Score: 2

    So where’s the hack that turns the Hot Tub into a Time Machine?

    --
    #DeleteChrome
  6. IoT obsession! by grumpy-cowboy · · Score: 3

    I work in IT for 23 years now and I don't understand this obsession with IoT !
    Are you to lazy to turn off your lights yourself? To use a simple programmable
    thermostat? You really want to bug your home with a Google Home/Amazon Alexa/...
    or any other IoT gadget "du jour" to be spied on 24/7? Yes I have a cell phone.
    This is the only "connected" device I have. Not a single IoT device will ever
    enter in my house.

    On the next IoT devices hack, the next state-sponsored privacy invasion scandal
    or the next Amazon/Google/Nest/... and now Hot Tub manufacturers (WTF!!) leaks
    all private data collected by their connected devices, I'll open a bag of
    popcorn and watch it from my "not so cool" analog but peaceful life. :)

    --
    Will $CURRENT_YEAR be the year of the Linux Desktop?
    1. Re:IoT obsession! by fredrated · · Score: 3, Informative

      Old-time programmers like me don't like proportional fonts, we like to have columns line up as an additional check on code accuracy.

    2. Re:IoT obsession! by scsirob · · Score: 3

      I'm in IT for 35 years now and I can't agree more. What's this obsession with IoT? It's totally ludicrous. It's the Internet of Trouble.

      I wouldn't be surprised if the Chinese actually make the firmware so crappy on purpose. We are allowing the Chinese to carpet-bomb our society with millions of backdoored, easily hackable connected devices, allowing a coördinated attack on essential infrastructure, and (to stay in the Trump-bash mode), we pay for it ourselves!

      --
      To Terminate, or not to Terminate, that's the question - SCSIROB