Hot tub hack reveals washed-up security protection By Dan Simmons

BBC Click presenter Published duration 25 December 2018

image caption Ken Munro demonstrated the hack to the BBC on a recent episode of Click

Thousands of hot tubs can be hacked and controlled remotely because of a hole in their online security, BBC Click has revealed.

Researchers showed the TV programme how an attacker could make the tubs hotter or colder, or control the pumps and lights via a laptop or smartphone.

Vulnerable tubs are designed to let their owners control them with an app.

But third-party wi-fi databases mean hackers can home in on specific tubs by using their GPS location data.

Balboa Water Group (BWG), which runs the affected system, has now pledged to introduce a more robust security system for owners and said the problem would be fixed by the end of February.

Christmas alert

Pen Test Partners - the UK security company that carried out the research - warned that hot tubs were not the only household items at risk.

Founder Ken Munro said that many Christmas gifts people would receive this year would connect to the internet and offer remote control through apps.

"Manufacturers still are not taking security seriously enough, and until they do consumers have to be very vigilant," he said.

"We recommend users reset any default passwords the device has immediately with a unique one of their own."

"Next to no security"

In the case of the hot tubs, the researchers found that information found on public resources, known as "wardriving databases", could be used to hijack the equipment without the need for any other kind of authentication.

image caption Public databases contain enough details to carry out the hack (this image has been edited to remove some information)

BWG told the BBC that it had been "surprised" to learn of the flaw as its app had been available for five years during which users had not reported any problems.

It said it was working with more than 1,000 owners in the UK and others globally to set up a system of individual usernames and passwords to secure the online controls.

It said it had previously opted not to do so because it had wanted to "allow for simple and easy use and activation" by homeowners.

Mr Munro said this had been "irresponsible".

"It takes away consumer choice and it takes away users' right to privacy and security," he explained.

The researcher acknowledged that it was not the most serious internet-of-things vulnerability in the world, but said it was still worth bringing to the public's attention.

"Blowers are only turned on when someone is in the tub, so a hacker could figure out if you're in the tub at the time, which is creepy," he explained.

"Consumer IoT security is not in a good place. These findings underline that."