Iconic hot tub manufacturer addresses flaws that also apparently exposed numerous backend services
Vulnerabilities in the web interface of Jacuzzi’s SmartTub app could have enabled an attacker to view and potentially manipulate the personal data of hot tub owners, a security researcher claims.
As well as an Android or iOS app, SmartTub provides a module that sits within hot tubs providing status updates and fulfilling commands around setting water temperature, turning on water jets or lights, and so on – although there’s no suggestion this functionality was affected by the flaws.
Eaton Zveare managed to bypass Smarttub.io login pages to reach two admin panels intended for internal use only.
The issues have now been patched, although Zveare claimed he was not notified of the fixes, and that Jacuzzi failed to reply to most of his emails. Jacuzzi has yet to respond to our invitation to comment. We’ll update this article if and when they do.
According to the researcher, abuse of the vulnerabilities exposed first names, last names, and email addresses of users from around the world. In a technical write-up he warned: “It would be trivial to create a script to download all user information. It’s possible it’s already been done.”
The first admin panel was accessed after a login attempt using Zveare’s customer credentials returned an ‘unauthorized’ screen, but was briefly preceded – “blink and you’d miss it” – by a redirect to the admin panel captured with a screen recorder.
This security flaw fleetingly showed data related to multiple Jacuzzi brands in the US and beyond.
Zveare used the Fiddler tool to modify the HTTP response in order to masquerade in the admin role – giving him full access to the admin panel and a “staggering” amount of data.
“I could view the details of every spa, see its owner, and even remove their ownership”, he explained. “I could view every user account and even edit them”.
However, Zveare declined to risk testing “if any changes would actually save”.
This revealed manufacturing logs, a serial number update section, and options to extend your cell (mobile) data subscription – “or shorten someone else’s” – and create, modify, and delete tub colors or models and licensed hot tub dealers.
A lengthy disclosure process detailed by Zveare began with initial notification on December 3, which apparently failed to elicit a response.
Zveare sought Auth0’s help on January 4 and said the authentication vendor immediately reproduced the issue, contacted Jacuzzi, and discovered that the first admin panel had been shut down.
On June 4 he noticed the second admin panel had finally been secured and then disclosed the vulnerabilities on June 20.
“After multiple contact attempts through three different Jacuzzi/SmartTub email addresses and Twitter, a dialog was not established until Auth0 stepped in,” said Zveare.
“Even then, communication with Jacuzzi/SmartTub eventually dropped off completely, without any formal conclusion or acknowledgement they have addressed all reported issues.”
By contrast, the researcher thanked the Auth0 security team for helping out despite having no obligation to do so. “Without their assistance, this disclosure would probably have remained stalled,” he added.