Weak security practices have rendered IoT devices vulnerable to hacking and all sorts of cyber-attacks. According to the research from a Buckinghamshire-based security group Pen Test Partners, hot tubs can also be hacked using an app simply because there isn’t any authentication process in place.
Reportedly, 26,000 hot tubs are currently vulnerable to be hacked and controlled remotely and anyone can perform the hacking by searching on wigle.net, a hacking database, which includes geolocation data. Hence, anyone can search for the physical location of the device.
According to the researchers at Pen Test Partners, hackers can easily control the hot tubs from anywhere around the world. All that they would need is an internet connection or a Wi-Fi access point of a nearby hot tub.
The app that makes it all happen is called the Balboa Water App. It is a mobile application that is used to control nearly 30,000 hot tubs made by the Balboa Water Group Inc. The app linked the hot tub with a WiFi connection, however, the problem lies in the fact that it doesn’t properly authenticate users due to which it becomes possible for third parties to acquire access.
Moreover, the app’s lackluster security measures allow the physical location of the hot tubs to be identified on the receiving end. These flaws in the app’s authentication process were exploited by the researchers to locate the hot tubs in their vicinity.
A hacker can gain access to the system and increase or decrease the heat quite effortlessly making the tub unusable. If the tub is continuously heated, it will waste a considerable amount of electricity. Furthermore, since blowers are activated only when someone’s using the hot tub so a hacker would figure out when the user is in the hot tub and can thus, manipulate the temperature or turn the water pumps on or off.
After the publishing of the research, the manufacturer Balboa Water Group responded to BBC that the company was ‘surprised’ to learn about the flaw because the app has been available for more than 5 years now and none of the users have complained so far.
Air-conditioned apocalypse: Blackout scenario involving smart climate control devices
Researchers claim that the service that controls the tubs, iDigi, also manages the control of other smart healthcare appliances and similar issues have been noticed in them too. According to Ken Munro, the founder:
“Consumer IoT (Internet of Things) security is not in a good place. These findings underline that.”
The manufacturer Balboa Water Group has stated that it is currently improving the authentication process of over 1,000 tub owners across the UK and elsewhere. Until an update is released, which might be released by the end of February, users of hot tubs are urged to not use the remote control function.