"Researcher Hacks Into Backend for Network of Smart Jacuzzis"

A security researcher was able to hack into the backend of a series of Jacuzzi smart hot tubs. Like other Internet of Things (IoT) devices, the Jacuzzi SmartTub allows users to control the settings of their tub from a distance using their phone or SmartHome hub. EatonWorks discovered several security flaws in their own SmartTub and decided to investigate. Eaton first noticed a problem with his SmartTub when they attempted to use a password manager to log into one of the service's websites. As they were on the wrong website, a message was displayed saying they were not authorized to enter. Before the message appeared, Eaton saw a header and table, which was later discovered to be an admin panel populated with user data, exposing information on multiple brands. Eaton then decided to try bypassing restrictions and gaining access. A part of the hack was the exposure of personal data, including names and email addresses. As for remotely controlling the tubs, the security researcher says it is possible for a hacker to turn the heat up and alter filtration cycles. This article continues to discuss the demonstrated exploitation of a security vulnerability in SmartTubs that enabled access to personal information belonging to anyone who used the software. 

Motherboard reports "Researcher Hacks Into Backend for Network of Smart Jacuzzis"