Security flaws in smart Jacuzzis could get owners in hot water

Share

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Email

Share this article

Join the conversation

Follow us

Add us as a preferred source on Google

Newsletter

Get the Tom's Guide Newsletter

Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!

Become a Member in Seconds

Unlock instant access to exclusive member features.

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors

---

By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

---

Want to add more newsletters?

Daily (Mon-Sun)

Tom's Guide Daily

Sign up to get the latest updates on all of your favorite content! From cutting-edge tech news and the hottest streaming buzz to unbeatable deals on the best products and in-depth reviews, we’ve got you covered.

Signup +

Weekly on Thursday

Tom's AI Guide

Be AI savvy with your weekly newsletter summing up all the biggest AI news you need to know. Plus, analysis from our AI editor and tips on how to use the latest AI tools!

Signup +

Weekly on Friday

Tom's iGuide

Unlock the vast world of Apple news straight to your inbox. With coverage on everything from exciting product launches to essential software updates, this is your go-to source for the latest updates on all the best Apple content.

Signup +

Weekly on Monday

Tom's Streaming Guide

Our weekly newsletter is expertly crafted to immerse you in the world of streaming. Stay updated on the latest releases and our top recommendations across your favorite streaming platforms.

Signup +

---

Join the club

Get full access to premium articles, exclusive features and a growing list of member rewards.

Explore

---

An account already exists for this email address, please log in.

Subscribe to our newsletter

Being able to control the water temperature, lighting and other settings of your hot tub using a smartphone may be convenient but a security researcher has discovered new vulnerabilities that put users of Jacuzzi’s SmartTub system at risk.

As the name implies, SmartTub turns an ordinary hot tub into a connected device by using a module inside the tub with cellular data that can be controlled remotely from your smartphone but the service also supports Alexa, Google Assistant, Wear OS watches and Apple Watch. 

As reported by TechCrunch, security researcher Eaton Zveare first discovered these new flaws in Jacuzzi’s SmartTub after trying to log in to the service using a password manager. Much to his surprise, he was taken to the wrong website where a header and table briefly flashed on his screen before a message appeared saying he wasn’t authorized to enter. 

As it turns out, the header and table Eaton saw was actually an admin panel which contained the names, emails, brand of hot tub, model and model number of other SmartTub users. While it’s unclear how many users are affected at this time, the SmartTub app has been downloaded more than 10,000 times from the Google Play Store.

Unauthorized access to admin panels

After discovering the SmartTub admin panel, Eaton then used a tool called Fiddler to modify some code and appear as an admin as opposed to an ordinary user. This allowed him to gain full access to the control panel where he could view every single user account and even edit the information they contained.

While the first admin panel contained user and hot tub information, Eaton also found a second admin panel while reviewing the SmartTub Android app. By loading a modified JavaScript bundle file, he was able to bypass the restrictions protecting the second admin panel.

With full access to the second admin panel, Eaton discovered he was able to view and modify product serial numbers, see a list of licensed hot tub dealers and even view manufacturing logs.

Following his discovery, Eaton responsibly disclosed his findings to Jacuzzi to let them know about the vulnerabilities in SmartTub so that they could be fixed. He first contacted the company in December but once communication between them dried up, Eaton was forced to turn to AuthO which handles logins and user accounts for Jacuzzi. Once Auth0 reached out to the company, the vulnerabilities in the SmartTub admin panel were fixed.

How to check if your personal data was exposed online

If Eaton was able to easily access SmartTub user data including customer names and emails, cybercriminals may have been able to do so as well before the vulnerabilities in question were patched.

For this reason, SmartTub users should use Have I Been Pwned or other similar tools to see if their email address or other data is currently available on the dark web. Keep in mind though, your email address could have been exposed in a separate data breach.

As is the case with all connected devices, convenience comes at a cost, which is why you may want to go back to adjusting your hot tub manually if you value your privacy and security.