Home Threats Smart hot tubs hackable: Research

Smart hot tubs hackable: Research

Smart Hot Tub

A recent research study revealed the vulnerabilities in an app that allow hackers to access control system of smart hot tubs, pumps, and lights via a smartphone or laptop.

In a television program dubbed BBC Click, the security researchers from Pen Test Partners Ltd showcased the vulnerabilities in Balboa Water App, a mobile app used for controlling around 30,000 hot tubs manufactured by Balboa Water Group Inc. The security vulnerabilities apparently allow hackers to turn up/down the temperature sensors of the tubs and control the functionality of pumps and lights. The researchers also said the location of hot tubs can be discovered due to an authentication error in the app.

“We emailed Balboa Water Group on 28th November, explaining the flaw and asking for an acknowledgment so that we could start responsible disclosure. We had no reply,” the researchers said in a statement.

“We tried again on 30th November, asking for an acknowledgment by 10 pm GMT on Friday 3rd December. Again, we had no reply. We then asked the BBC if they could use their influence to elicit a response. They kindly obliged and, as if by magic, we had a response from BWG within an hour of the BBC emailing them,” the statement added.

Balboa Water Group stated that they’re introducing a robust security system to patch-up the potential vulnerabilities and notified that the problem would be fixed by the end of February 2019.

In a similar research, the researchers from the University of Texas revealed how Smart Lights can be maliciously used to violate users’ privacy and security. According to the researchers, the hackers can make use of internet-connected light bulbs as a covert channel to exploit the user’s private data.

The research stated that hackers can launch an attack by manipulating the infrared light by creating a communication channel between the smart lights and a device that senses infrared light. And by installing a malicious agent on the phone, the attackers can encode the private data and transfer them through the infrared covert channel.