A researcher hacked into the backend of a series of Jacuzzi smart hot tubs in one of the more absurd hacks in recent memory.
The Jacuzzi brand SmartTub has the same simple selling point as all internet of things (IoT) devices: you can use your phone or SmartHome hub to control the settings of your tub from afar. Security researcher EatonWorks noticed several security vulnerabilities in their own SmartTub and decided to dig into it. They documented the experience on.
Eaton first noticed a problem with their SmartTub when they tried to log into one of the service’s websites using a password manager. They were on the wrong website and got a screen telling them they weren’t authorized to enter.
“Right before that message appeared, I saw a header and table briefly flash on my screen,” Eaton said on their blog. “Blink and you’d miss it. I had to use a screen recorder to capture it. I was surprised to discover it was an admin panel populated with user data. Glancing at the data, there is information for multiple brands, and not just from the US.”
Then Eaton used a program called Fiddler to intercept and modify some code that told the website they were an admin, not just a user. They were in, and could see a wealth of information about Jacuzzi owners from around the world. “Once into the admin panel, the amount of data I was allowed to was staggering. I could view the details of every spa, see its owner and even remove their ownership,” he said. “Please note that no operations were attempted that would actually change any data. Therefore, it’s unknown if any changes would actually save. I assumed they would, so I navigated carefully.”
Eaton told Motherboard this was all pretty easy. “Compared to a lot of other things I have done, this was easy,” they told Motherboard in an email. “I do a lot of stuff with console mods, and my most recent release there was a patch/Mod to upgrade Xbox 360’s USB support. That was much more difficult than just downloading a JS file and changing a few lines.”
They kept investigating and noticed a URL in the Android app’s APK that would give them access to an additional admin panel. They broke into this as well and were able to access Jacuzzi’s backend. They could create their own promotions and products, modify the serial numbers of products, see a list of dealers and their phone numbers, and even view a manufacturing log.
According to Eaton, the worst thing about the Mod was the exposure of personal data. “As for remotely controlling tubs, I think the worst you could probably do is turn the heat all the way up and change the filtration cycles..
they told Motherboard. “Then in a few days you could have a hot, stinky soup. There are no chemicals to control—you have to do that by hand. Changing another user’s data would have crossed a line, so this is just speculation on my part.”
“Worldwide user data was exposed, which included first name, last name, and email address. There is a phone number field, but thankfully I never saw it filled in anywhere, and you aren’t asked for it when creating an account,” Eaton said on their blog. “It would be trivial to create a script to download all user information. It’s possible it’s already been done. Jacuzzi is incorporated in California which has data breach notification laws. I’m uncertain whether the exposed data meets the bar for the law’s requirements, and it may not be technically possible to identify California residents in the SmartTub network.”
Eaton is an ethical hacker and repeatedly tried to contact Jacuzzi. According to their own disclosure timeline, they sent their first message to the company on December 3, 2022 just a few hours after initially discovering the security vulnerability. They finally went public with their findings on Monday.
Eaton heard from Jacuzzi twice. Once, in asking for more data about the Mod and another time an employee said they’d escalated Eaton’s concerns to management. They did hear from Auth0, the third party who handled the login front end of the SmartTub software. They, at least, were responsive and patched up the vulnerabilities on the login page that allowed Eaton access to the admin panels. Always be careful when sharing your personal info with your hot tub.
Jacuzzi did not immediately respond to Motherboard’s request for comment.