A security researcher claims that flaws in the online interface of Jacuzzi’s SmartTub app might have allowed an attacker to see and perhaps change the personal information of hot tub owners. The SmartTub also has a module that lies inside hot tubs, delivers status updates, and fulfills instructions like adjusting water temperature, turning on water jets or lighting, etc. However, there’s no indication that this capability was impacted by the incident.
Eaton Zveare could get past the Smarttub.io login screens and into two admin panels that were only meant for internal usage. Although the problems have been fixed, Zveare claims he was not informed of the improvements and that Jacuzzi failed to respond to most of his emails. Jacuzzi has yet to respond to a request for an interview. According to the researcher, exploiting the flaws disclosed the first and last names, as well as email addresses, of people all over the world. “It would be trivial to create a script to download all user information,” he cautioned in a technical write-up. It’s possible it’s already been done.”
“I could view the details of every spa, see its owner, and even remove their ownership”, he explained. “I could view every user account and even edit them.” On the other hand, Zveare declined to examine “if any changes would actually save.”
Zveare outlined a lengthy disclosure procedure that began with an initial notification on December 3 that went unanswered. On January 4, he called Auth0 for assistance, and the authentication provider quickly replicated the problem, contacted Jacuzzi, and discovered that the initial admin panel had been disabled. On June 4, he saw that the second admin panel had finally been protected, and on June 20, he publicly reported the flaws.
“After multiple contact attempts through three different Jacuzzi/SmartTub email addresses and Twitter, a dialog was not established until Auth0 stepped in,” said Zveare. “Even then, communication with Jacuzzi/SmartTub eventually dropped off completely, without any formal conclusion or acknowledgement they have addressed all reported issues.”
On the other hand, the researcher commended the Auth0 security team for assisting despite not being obligated to do so. “Without their assistance, this disclosure would probably have remained stalled,” he added.