Hot tubs are supposed to be a great way to relax, but that’s a little harder to do when you aren’t in control of them. Thousands of hot tubs running a system made by Balboa Water Group have exploits that can be hacked to allow malicious actors to remotely control them, according to a recent report from the BBC.
The issue, discovered by security researchers at the U.K.-based security firm Pen Test Partners, stems from lapses in a mobile app that enables hot tub owners to control their tubs from their phone. Attackers could theoretically gather information found on public resources to find homes with the vulnerable hot tubs and target them. The malicious actors could use third-party databases to find the GPS location data of a given tub and hijack it. There is no authentication that would prevent the attackers from getting into the system.
Once the attackers have picked their target, they can assume control of the tub remotely. That means they can make the temperature hotter or colder, take over the pumps and jets, and change the lights. The entire attack can be carried out over a smartphone or laptop.
According to the BBC, Balboa Water Group was caught off guard by the report and said it was “surprised” to learn of the vulnerability. The mobile app that gives users the ability to remotely control their hot tub has been available for about five years and users have never reported any issues or hacking attempts, according to the company.
Balboa Water Group is in the process of addressing the security flaw and plans to have it patched up by the end of February — which is a long time to leave a known flaw unpatched and available to exploit. The company is working with its customers to set up individual usernames and passwords so they can secure their apps. It previously opted not to have users set up personal accounts because it wanted to simplify the activation process. While that might have made things more convenient, the decision also exposed users to having their personal time in the hot tub interrupted by hackers.
