EatonWorks security researcher discovered a vulnerability in the SmartTub system that allows you to remotely control hot tubs, adjust temperature, change filtration modes and water levels. Accessing these features may damage someone else’s device.

If you max out the heat and change the filtration cycles, you’ll have a hot-smelling soup in a few days. This is not fixed with any chemicals, you have to clean everything by hand.

EatonWorks

In addition, the researcher gained access to the personal data of users from all over the world, such as name, surname and e-mail address.

The programmer noticed a problem with SmartTub when he tried to log in as a user and for a second saw the admin panel appear on the boot screen. Then you need to “download the JS file and change a few lines”.

The researcher also managed to crack the SmartTub app for Android by finding the URL in the APK file that gives access to the additional admin panel.

EatonWorks repeatedly tried to contact Jacuzzi to report the vulnerability, but was only asked to send more information or even ignored. However, according to his observations, security vulnerabilities were fixed until June 2022.