Home Access Control APIs Leave Users in Hot Water

A technology reporter at Ars Technica discovered a solution to the slow water heater in his apartment.

Home Access Control APIs Leave Users in Hot Water

APIs are everywhere- powering the little connections we take for granted from ordering food to checking the weather to… heating up water?!. In fact, a lot of our API use happens at home, in places you might not even expect. What happens when these APIs are left vulnerable?

A technology reporter at Ars Technica discovered a solution to the slow water heater in his apartment. 

First, he found a manual which told the user how to activate recirculation of hot water (essentially, heating it up for a shower) remotely, from a mobile device. 

Then, to take things a step further, he discovered a component he could integrate with the water heater for even more control, to set conditions so it would automatically heat up at certain times on demand.

The original creator of the integration used had done some digging into the application that powered the water heating controls, and discovered that all you needed to tap into someone’s water controls was their registered email address- not even a password! 

This means that basically anyone with the correct email could gain the power to change the water settings at a whim.

Other researchers had come to the same conclusion, and reached out to the company behind the water services, called Rinnai. However, the company declined to comment and outright denied the claim that anyone could access any water account on the network using only the corresponding email. 

As of today, this vulnerability has still yet to be addressed, and it is far from the only case of a home access control issue.

To quote FireTail advisory board member Mikko Hypponen, in what has come to be known as Hypponen’s law:

If it’s smart, it’s vulnerable.

As the systems that ease our everyday lives become more automated with smart devices and bluetooth, cyber security is increasingly pushed to the sidelines in favor of fast development. This means that cases such as the Rinnai hot water access control issue will only become more common and could affect more important functions as well. While hot water control may not seem like a severe concern, vulnerable smart devices that open your door are.

API security is vital for everyone, but not everyone understands API security. FireTail can help you gain full visibility into your API landscape, to see and secure all of your APIs. To see how it works, book a free 30-minute demo with FireTail here.