Originally published at: Smart jacuzzis hacked | Boing Boing
Originally published at: Smart jacuzzis hacked | Boing Boing
Phew. That’s not as bad as what I first pictured.
Then Eaton used a program called Fiddler to intercept and modify some code that told the website they were an admin, not just a user.
Secure web apps 101: Never ever ever trust the client to handle authorization. Every action with elevated permission must verify at the server. Assume the client is compromised.
The Internet of Shit strikes again. No one needs a “smart” Jacuzzi. Just a way of jacking up costs for no real improvement in the product.
“Smart” Jacuzzi? What is served by having your hot tub connected to the Internet that cannot be accomplished with a meat thermometer?
“As for remotely controlling tubs, I think the worst you could probably do is turn the heat all the way up and change the filtration cycles…
they told Motherboard. “Then in a few days you could have a hot, stinky soup.
Yup, although I can understand the user-land reasons for a smartphone app. (I’m leaving work, I’ll use the smartphone app to turn the thing on so it’s ready when I get home, or something similar.)
In my experimentations with building a smart home, I’ve found that a lot of ‘smart’ devices are actually not at all smart, require a smartphone app and an account, and are run entirely on
The Cloud someone else’s computer, and the app’s quality is… highly variable. (ranging between “hey, this is pretty awesome” to “ignore all the design advice and app standards for the platform, collect ALL the data, and bind the device to that specific smartphone, in the name of getting it shipped as soon as possible.”)
Side tangent: back in last 2020, I ran across some ‘smart’ lights that were decidedly not, so much so that I had to write about it and vent, because it was really that awful.
@MikeKStar : I dunno, I wouldn’t stew about it…
I’ve taken to calling the cloud “Larry’s Computer,” because yep, that’s… uh… basically what it is. Thanks, Larry!
hijinks with the tubs themselves were not in play, sadly, but vast amounts of user information and account credentials were
That’s not nearly as entertaining as I first thought it would be, either.
“Senator, this is your jacuzzi app reminding you your filters are filled with condoms, cocaine and bits of transient young men. Please clean as soon as possible.”
While I understand what you’re saying about “smart things”, I have to disagree. A lot.
I have learned that just because I don’t see the immediate value of a thing doesn’t mean someone else won’t find value. A “smart” Jacuzzi might offer ways to help people with disabilities. Let’s say it has a feature for remote monitoring of chemicals; I can see someone remotely keeping tabs on their elderly parent’s spa. Or for someone with mobility issues, maybe this helps them manage the temperature for therapy sessions.
Maybe the automation actually saves energy that might be otherwise wasted on a non-smart tub. Obviously the argument then switches to “who needs a hot tub?”, but we already know they have legitimate therapeutic applications. I’m not a doctor so I can’t say if a person deserves one or not.
I’ve found that just about every smart thing we might ridicule has something to offer to people with different needs. (I’m still trying to figure out a use case for a Bluetooth-enabled hairbrush, but I don’t doubt that one exists somewhere on this planet.)
Or as William Gibson put it, “the street finds its own uses for things.”
And there’s always wealthy people who can afford to part with some extra money. I don’t mind them keeping the Jacuzzi factory workers employed, or the contractors who install and maintain them.
There’s a wide range between “disability accessible” and “it needs bluetooth because it can uh… be bluetoothy…” So while you’re correct, I will qualify what I’m talking about as all the useless features that connect to insecure cloud frameworks with bad password protocols and provide no real benefit to the use of a product that can’t be done in other means more practically, but simply “sound cool by adding smart or cloud to the name of the product.”
The problem becomes a real problem when smart products with no useful features replace normal ones. See: smart tv’s. I do not need, want, or desire a TV that can monitor and track me so my data can be sold to third parties and/or feed me specific ads, but it’s almost impossible now to get a new one that does not. The addition of features which do not benefit ME, but benefit the manufacturer by allowing them to gather data ABOUT me needs to end.
Like you I find the egregious data collection practices are heinous. I also find most appliances with server-side features are just scummy ways of exacting monthly rental from products you already own. As an added extra bonus, they usually try to enforce their own special brand of vendor lock-in with their cloud, too. “Works with Nest (but not Apple HomeKit)”, “Compatible with Samsung SmartThings (but not Google Home)”, “Alexa-compatible (but screw you for thinking of anything else)”, etc.
And given this whole story is about Jacuzzi’s back-end being the worst swiss cheese security I’ve seen in a long time, you’re obviously not wrong in your conclusions. I completely agree with you that the whole “cloud-based” approach is shit for almost every product.
But for devices that have local control, where the cloud is a completely optional part of the product, those are the ones I like because I can integrate them into my smart home without having to reach out to someone else’s computer just to operate my own stuff. And those are the ones I have no problems recommending to people.
It’s still worse than you think.
Sites like these are potential gold mines for hackers who are searching for login credentials they can use in Account Take Over (ATO) attacks. If they can learn that ‘jaded’@‘boingboing’.‘net’ has a password of “hunter2”, they can try logging in as ‘jaded’@‘boingboing’.‘net’ at ‘citibank’.‘com’, ‘walmart’.‘com’, ‘coinbase’.‘com’, and any of thousands of other sites that handle money, accounts, gift cards, cryptocurrency, etc.
If you find yourself in a hot tub that’s suddenly getting hotter, there’s a good chance that you are smart enough to get out before you die from it. But if your crypto account gets hacked, you won’t know it until they’ve drained your wallet; and with crypto currency there’s no FDIC to protect you.
Yep, I think we’re in accord on this. I don’t mind things with local control (long as admin passwords can be changed; that’s been an ongoing issue with some of these products). It’s more the data scumming cloud stuff with dubious benefits that annoys me.
Given today’s crypto prices, I’d be thankful for somebody else to take over my account. End result is pretty much the same…
Please drop some recommends here, please. Or link to where I can read up such matters. I just installed a Balboa(?) heater & controller, and the manual has tantalizing entries on how to setup the WiFi, but I’m not certain what I installed has the smarts for that.
I’d prefer something Home Assistant compatible. Or just something that talks MQTT. Which might (should?) become the universal language of home automation?
You’re always safer with a non-routable protocol. My Z-wave devices have no way to communicate with anything but my Home Assistant hub, which I fully control. Same with Zigbee. If it can’t get online, it can’t betray you.
For home automation, I highly recommend Home Assistant. I run mine on a Raspberry Pi, but you can run it on just about any computer you have. It’s fully open source and has a brilliant, vibrant community. There are over 1,000 official integrations available for anything from 1-wire to Z-wave, and several thousand others available via an add on process. I regret not converting my home to HA years earlier than I did.
Bluetooth connections are also non-routable, but that doesn’t mean they’re safe. Most of them pair with a mobile phone app that’s freely chatting with their masters’ clouds. So it’s hard to know if or when (ok, when) a Bluetooth device is silently ratting you out.
Once you move on to WiFi connected devices, it’s difficult to find anything that doesn’t phone home to the mothership. Assuming I can find a way to locally accomplish my goal, I’ll use that without signing up or creating an account. For example, I have “smart” TVs that I don’t want to be smart – I want them to be TVs. When i hook them to my WiFi, i click the NO, I DO NOT AGREE button. It will give me some pissy scary message like “you will suffer terrible FOMO if you don’t allow our marketers access to your viewing habits!”, but somehow I’ve survived.
Local devices I run include lights, fans, water sensors and an emergency water shut off valve, burglar alarms, weather sensors, TVs, and cameras.
My advice on the home control front is “consistency of interface”. Settle on one type of switch, and use that throughout your home. For example, don’t install a mix of paddle-up-for-on with tap-anywhere-to-toggle dimmers. Otherwise it’s a confusing mess for visitors and houseguests. Come to an agreement with the other residents of your home, and stick to it.
There are some other systems I’ve stood up for myself that are not in public clouds. My family’s calendars, contacts, music server, and file sharing are all locally hosted on a server in my house (I’m using OwnCloud, but would recommend NextCloud as the newer, better, more open product.) However, my ability to do so comes in part from two degrees and six decades of computer engineering experience, which the typical homeowner is not likely to have.
Unfortunately there are many things in my house that I haven’t worked around yet. While Home Assistant integrates with them via plugins, my garage door opener, dishwasher, thermostat, vehicles, and laundry machines are still online and chatting with their respective clouds.
One other piece of advice is to pick your battles. I find Google to be the worst of the worst privacy offenders, plus they delight in buying home automation systems and turning them off, so I have no Google Home stuff (that includes Nest). Apple prides themselves on vendor lock-in, so I don’t buy any Apple HomeKit devices (even though they’d probably be the most convenient). The laundry machines are Samsung, but their control systems suck hard, and I will never buy another Samsung SmartThing or AnyThing from them ever again.
So for my voice interface, that leaves me with she-whose-name-must-never-be-spoken. I personally think Amazon is barely slightly less evil than Google (and in some ways they’re much worse). But we still have a bunch of their voice pucks scattered around the house. Having one brand of stuff goes back to the consistency of interface rule. You don’t want to get in a four-way shouting match with your house, because you will lose. “Hey, Siri, turn on the kitchen light. Oh, shit, I meant Alexa, turn on the kitchen light. No? OK Google, turn on the gorram kitchen light! Hey, Siri, stop! Alexa, shut up! Dammit, which one of you turned off the TV?” (Yes, this has happened.)
There is finally some cool work being done in the open source voice recognition world, and I’m excited to try Mycroft, but nothing comes near the capabilities of the commercial systems. Yet.