August 26, 2022

Smart Tub Mine Machine

Flaws in a smart hot tub's API expose data

Security researcher Eaton Zveare discovered the flaw after ordering one himself and setting up the associated SmartTub account. Along the way he discovered a flash of something, which he was able to screen-record and determine it was an admin screen.

Zveare was ultimately able to access "a staggering amount of data" through the two admin access points

Perhaps more troubling was Jacuzzi's response. According to Zveare, they were less than responsive to someone who was able to access their admin panels. To date their one public-ish acknowledgement is a memo to partners essentially denying the breach. And though they seem to have closed both admin pages, Zveare's post ends with a note for Jacuzzi to call him as he has additional security concerns.

‍

Ian Armas Foster

Writer

Browse all posts

April 17, 2024

APIs and Competitive Advantage in the Travel Sector

In the travel sector, securing a competitive edge is vital. In a hyperconnected industry, where demand fluctuates, pricing is dynamic and customers have endless options, efficient and well-secured APIs can make a huge difference.



April 11, 2024

Revisiting Cambridge Analytica in 2024

The Cambridge Analytica Data Scandal led to the collapse of the company, court cases and massive fines for Meta. It highlighted the massive impact that technology was having on society, politics and democracy. Now, almost a decade later, we take a look at how a poorly configured API started it all.



April 5, 2024

I was Wrong about Endpoint Security

Based on trends in changing compute architectures, it seemed logical that Endpoint Detection and Response companies would shrink their overall install base. Instead, EDR has evolved into Extended Detection and Response.



Smart Tub Mine Machine

Ian Armas Foster

Related posts

APIs and Competitive Advantage in the Travel Sector

Revisiting Cambridge Analytica in 2024

I was Wrong about Endpoint Security

This site uses cookies