Security flaws in smart Jacuzzis could get owners in hot water

Acrylic Hot Tub
(Image credit: Shutterstock)

Being able to control the water temperature, lighting and other settings of your hot tub using a smartphone may be convenient but a security researcher has discovered new vulnerabilities that put users of Jacuzzi’s SmartTub system at risk.

As the name implies, SmartTub turns an ordinary hot tub into a connected device by using a module inside the tub with cellular data that can be controlled remotely from your smartphone but the service also supports Alexa, Google Assistant, Wear OS watches and Apple Watch

As reported by TechCrunch, security researcher Eaton Zveare first discovered these new flaws in Jacuzzi’s SmartTub after trying to log in to the service using a password manager. Much to his surprise, he was taken to the wrong website where a header and table briefly flashed on his screen before a message appeared saying he wasn’t authorized to enter. 

As it turns out, the header and table Eaton saw was actually an admin panel which contained the names, emails, brand of hot tub, model and model number of other SmartTub users. While it’s unclear how many users are affected at this time, the SmartTub app has been downloaded more than 10,000 times from the Google Play Store.

Unauthorized access to admin panels

SmartTub admin panel

(Image credit: Eaton Zveare)

After discovering the SmartTub admin panel, Eaton then used a tool called Fiddler to modify some code and appear as an admin as opposed to an ordinary user. This allowed him to gain full access to the control panel where he could view every single user account and even edit the information they contained.

While the first admin panel contained user and hot tub information, Eaton also found a second admin panel while reviewing the SmartTub Android app. By loading a modified JavaScript bundle file, he was able to bypass the restrictions protecting the second admin panel.

With full access to the second admin panel, Eaton discovered he was able to view and modify product serial numbers, see a list of licensed hot tub dealers and even view manufacturing logs.

Following his discovery, Eaton responsibly disclosed his findings to Jacuzzi to let them know about the vulnerabilities in SmartTub so that they could be fixed. He first contacted the company in December but once communication between them dried up, Eaton was forced to turn to AuthO which handles logins and user accounts for Jacuzzi. Once Auth0 reached out to the company, the vulnerabilities in the SmartTub admin panel were fixed.

How to check if your personal data was exposed online

If Eaton was able to easily access SmartTub user data including customer names and emails, cybercriminals may have been able to do so as well before the vulnerabilities in question were patched.

For this reason, SmartTub users should use Have I Been Pwned or other similar tools to see if their email address or other data is currently available on the dark web. Keep in mind though, your email address could have been exposed in a separate data breach.

As is the case with all connected devices, convenience comes at a cost, which is why you may want to go back to adjusting your hot tub manually if you value your privacy and security.

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.