As the name implies, SmartTub turns an ordinary hot tub into a connected device by using a module inside the tub with cellular data that can be controlled remotely from your smartphone but the service also supports Alexa, Google Assistant, Wear OS watches and Apple Watch. As reported by TechCrunch (opens in new tab), security researcher Eaton Zveare first discovered these new flaws in Jacuzzi’s SmartTub after trying to log in to the service using a password manager. Much to his surprise, he was taken to the wrong website where a header and table briefly flashed on his screen before a message appeared saying he wasn’t authorized to enter. As it turns out, the header and table Eaton saw was actually an admin panel which contained the names, emails, brand of hot tub, model and model number of other SmartTub users. While it’s unclear how many users are affected at this time, the SmartTub app has been downloaded more than 10,000 times from the Google Play Store.
Unauthorized access to admin panels
After discovering the SmartTub admin panel, Eaton then used a tool called Fiddler to modify some code and appear as an admin as opposed to an ordinary user. This allowed him to gain full access to the control panel where he could view every single user account and even edit the information they contained. While the first admin panel contained user and hot tub information, Eaton also found a second admin panel while reviewing the SmartTub Android app. By loading a modified JavaScript bundle file, he was able to bypass the restrictions protecting the second admin panel. With full access to the second admin panel, Eaton discovered he was able to view and modify product serial numbers, see a list of licensed hot tub dealers and even view manufacturing logs. Following his discovery, Eaton responsibly disclosed his findings to Jacuzzi to let them know about the vulnerabilities in SmartTub so that they could be fixed. He first contacted the company in December but once communication between them dried up, Eaton was forced to turn to AuthO which handles logins and user accounts for Jacuzzi. Once Auth0 reached out to the company, the vulnerabilities in the SmartTub admin panel were fixed.
How to check if your personal data was exposed online
If Eaton was able to easily access SmartTub user data including customer names and emails, cybercriminals may have been able to do so as well before the vulnerabilities in question were patched. For this reason, SmartTub users should use Have I Been Pwned (opens in new tab) or other similar tools to see if their email address or other data is currently available on the dark web. Keep in mind though, your email address could have been exposed in a separate data breach. As is the case with all connected devices, convenience comes at a cost, which is why you may want to go back to adjusting your hot tub manually if you value your privacy and security.