Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hot Tub Hack Reveals Washed-up Security Protection (bbc.com)

Posted by msmash on from the security-woes dept.

Thousands of hot tubs can be hacked and controlled remotely because of a hole in their online security, BBC Click has revealed. From a report: Researchers showed the TV programme how an attacker could make the tubs hotter or colder, or control the pumps and lights via a laptop or smartphone. Vulnerable tubs are designed to let their owners control them with an app. But third-party wi-fi databases mean hackers can home in on specific tubs by using their GPS location data. Balboa Water Group (BWG), which runs the affected system, has now pledged to introduce a more robust security system for owners and said the problem would be fixed by the end of February.

Pen Test Partners -- the UK security company that carried out the research -- warned that hot tubs were not the only household items at risk. Founder Ken Munro said that many Christmas gifts people would receive this year would connect to the internet and offer remote control through apps. "Manufacturers still are not taking security seriously enough, and until they do consumers have to be very vigilant," he said. "We recommend users reset any default passwords the device has immediately with a unique one of their own."

3 of 69 comments (clear)

  1. Not for me thanks by AndyKron · · Score: 4, Insightful

    Why the hell does a hot tub need blue tooth and GPS data? Answer: They don't.

  2. Reminds me of Dilbert skit by Anonymous Coward · · Score: 5, Funny

    Dilbert: Good morning, shower!
            Automated Shower Machine: Good morning, Dilbert!
            Dogbert: Hmm, don't you do enough engineering at work?
            Dilbert: Work is just meetings, this is engineering. If this works, someday all showers will be voice activated.
            Dogbert [sitting on a stool]: Is it that hard to turn the knobs?
            Dilbert: It's not that it's hard, it's unnecessary. [To ASM] 99, please.
            ASM: 99. [shower turns on at 99 degrees; Dilbert steps inside]
            Dogbert [aside]: 400.
            [The ASM does nothing]
            Dilbert: Heh-heh, nice try. But the shower is calibrated to respond to my voice only.
            Dogbert: Why, you think of everything!
            Dilbert: I'm cautious.
            Dogbert: That's why you had training wheels on your bike until you were 17.
            Dilbert: I was 14.
            ASM: 14. [makes the shower temperature 14 degrees]
            Dilbert: AAAAAAAAHHHHHHHH! [is frozen in a block of ice] 99! 99! 99! [shower goes back to 99 degrees, as the ice melts] Don't do that!
            Dogbert: Where'd you get the voice for that thing? It sounds like the voice for that stupid movie; what was it called, "something, something, a Space Odyssey"?
            Dilbert: It wasn't "Something, something, a Space Odyssey", it was "2001: A Spa-" [cut to the exterior of the house, as the ASM evidently makes the shower temperature 2001 degrees] AAAAAAAAGGGGGGHHHHH!!!
            [back inside, a red-skinned Dilbert wraps a towel around himself, which then catches on fire as he walks off-screen]
            Dogbert: On the plus-side, you look very clean.

  3. Re:IoT by ctilsie242 · · Score: 4, Insightful

    As someone who has worked for an IoT company, a lot of companies actually build in insecurity:

    1: If there is a major show stopper that hits customers, causing lawsuits, the top brass shorts their stock the day before the announcements. They laugh all the way to the bank.

    2: Unfixable security issues force customers to re-buy everything. The more issues that are unpatchable, the more revenue an IoT provider gets. Especially if the IoT devices are designed to be resistant to "jailbreaking", so they can't be patched via third parties.

    3: IoT devices sending up a constant telemetry stream can make more cash than the device itself, especially to advertisers.

    Want to know how to have IoT devices have a lot better security? Not hard:

    1: Have a dedicated IoT firewall hub. This hub only allows communication as per signed manifest files. This way, if a device only communicates via HTTPS to a load balancer for updates, and suddenly starts phoning home to Lower Elbonia, that will be blocked. Of course, a lot of IoT providers will just do 0.0.0.0/255.255.255.255 for a netmask of permissive sites, but will be a cause of public humilation.

    2: Have the IoT firewall hub communicate in an offline state, similar to UUCP forwarding. That way, the IoT hub grabs updates and offers them available for devices. Since there is no direct access to the devices, it becomes difficult to attack them without physical access.

    3: Have something similar to UL, or Sold Secure, where devices get tested by an independent group and given a certification that they passed white box, black box, and other security attempts.