A security researcher found vulnerabilities in Jacuzzi’s SmartTub interface that allowed access to each spa owner’s personal information.
As with most Internet of Things (IoT) systems, Jacuzzi’s SmartTub feature allows users to remotely connect to their hot tub via a companion Android or iPhone app. Marketed as a “personal hot tub assistant,” users can use the app to control the water temperature, turn jets on and off, and change the lights.
But as documented by hacker Eaton Zveare, this functionality could also be abused by attackers to access the personal information of hot tub owners worldwide, including their names and email addresses. It’s unclear how many users may be affected, but the SmartTub app has been downloaded more than 10,000 times from Google Play.
Eaton first noticed an issue when attempting to log in through the SmartTub web interface, which uses the third-party identity provider Auth0, and found that the login page…