Iconic hot tub manufacturer addresses flaws that also apparently exposed numerous backend services
Vulnerabilities in the web interface of Jacuzzi’s SmartTub app could have enabled an attacker to view and potentially manipulate the personal data of hot tub owners, a security researcher claims.
As well as an Android or iOS app, SmartTub provides a module that sits within hot tubs providing status updates and fulfilling commands around setting water temperature, turning on water jets or lights, and so on – although there’s no suggestion this functionality was affected by the flaws.
Eaton Zveare managed to bypass Smarttub.io login pages to reach two admin panels intended for internal use only.
Read more of the latest internet of things security news
The issues have now been patched, although Zveare claimed he was not notified of the fixes, and that Jacuzzi failed to reply to most of his emails. Jacuzzi has yet to respond to our invitation to comment. We’ll update this article if and when they do.
According to the researcher, abuse of the vulnerabilities exposed first names, last names, and email addresses of users from around the world. In a technical write-up he warned: “It would be trivial to create a script to download all user information. It’s possible it’s already been done.”
‘Staggering’
The first admin panel was accessed after a login attempt using Zveare’s customer credentials returned an ‘unauthorized’ screen, but was briefly preceded – “blink and you’d miss it” – by a redirect to the admin panel captured with a screen recorder.
This security flaw fleetingly showed data related to multiple Jacuzzi brands in the US and beyond.
A JavaScript bundle for Smarttub.io’s single-page-application (SPA) revealed that usernames and passwords were sent to third-party authentication platform Auth0 for validation.
Zveare used the Fiddler tool to modify the HTTP response in order to masquerade in the admin role – giving him full access to the admin panel and a “staggering” amount of data.
“I could view the details of every spa, see its owner, and even remove their ownership”, he explained. “I could view every user account and even edit them”.
However, Zveare declined to risk testing “if any changes would actually save”.
Backend services
The login screen for the second admin console, while not Auth0-branded, “seemed” to accept his credentials but generated a JavaScript browser alert declining permission.
The corresponding JavaScript bundle featured the code for browser alert and isAdmin check, and he noted that alongside the admin and user groups also visible on the first panel, the second panel featured admin tools and development groups.
DON’T MISS HID Mercury access control vulnerabilities leave door open to lock manipulation
With the help of Chrome Local Overrides functionality, the researcher loaded a modified JavaScript bundle file that forced canUseTools, checkAdmin, and checkDevTeam to return true in all cases. “This way, I didn’t need to intercept the HTTP response each time to modify the groups,” said Zveare.
This revealed manufacturing logs, a serial number update section, and options to extend your cell (mobile) data subscription – “or shorten someone else’s” – and create, modify, and delete tub colors or models and licensed hot tub dealers.
Fraught disclosure
A lengthy disclosure process detailed by Zveare began with initial notification on December 3, which apparently failed to elicit a response.
Zveare sought Auth0’s help on January 4 and said the authentication vendor immediately reproduced the issue, contacted Jacuzzi, and discovered that the first admin panel had been shut down.
On June 4 he noticed the second admin panel had finally been secured and then disclosed the vulnerabilities on June 20.
“After multiple contact attempts through three different Jacuzzi/SmartTub email addresses and Twitter, a dialog was not established until Auth0 stepped in,” said Zveare.
“Even then, communication with Jacuzzi/SmartTub eventually dropped off completely, without any formal conclusion or acknowledgement they have addressed all reported issues.”
By contrast, the researcher thanked the Auth0 security team for helping out despite having no obligation to do so. “Without their assistance, this disclosure would probably have remained stalled,” he added.
RECOMMENDED Security researcher receives legal threat over patched Powertek data center vulnerabilities