August 26, 2022

Smart Tub Mine Machine

Flaws in a smart hot tub's API expose data

Smart Tub Mine Machine

Security researcher Eaton Zveare discovered the flaw after ordering one himself and setting up the associated SmartTub account. Along the way he discovered a flash of something, which he was able to screen-record and determine it was an admin screen.

Zveare was ultimately able to access "a staggering amount of data" through the two admin access points 

Perhaps more troubling was Jacuzzi's response. According to Zveare, they were less than responsive to someone who was able to access their admin panels. To date their one public-ish acknowledgement is a memo to partners essentially denying the breach. And though they seem to have closed both admin pages, Zveare's post ends with a note for Jacuzzi to call him as he has additional security concerns.