Say you’re enjoying a nice soak when all of a sudden the temperature drops or the lights turn off. Maybe the hot tub is on the fritz. Or maybe — just maybe — it’s been hijacked.
It could happen. That’s according to Pen Test Partners. The UK security firm uncovered a flaw in a Wi-Fi-equipped spa system developed by Balboa Water Group, based in Tustin, Calif. The vulnerability would allow a hacker to take control of the hot tub remotely with a laptop or smartphone. Researchers said the hack is relatively simple. The system does not require any authentication.
The issue caught the media’s attention. It was first reported by the BBC and has since been picked up by several other outlets.
Balboa didn’t believe the attention was warranted. “This is a non-event,” said Balboa CEO Eric Kownacki.
In a statement to the media, the manufacturer further said it set up the system this way to easily connect to a homeowner’s Wi-Fi. Balboa maintains that no one is in any danger — a mechanism in the system prevents unsafe conditions —and personal information has not been compromised in any way.
The company said it first became aware of the flaw in December and immediately began an investigation. The app has been available for more than five years and hasn’t received a single complaint during that time, officials said. Furthermore, a person cannot target a specific spa. A hacker could mess the controls, but without knowing whose hot tub it is.
Even Pen Test Partners acknowledged that hackable hot tubs are not the most pressing security issue facing the world today. However, the finding underscores the larger problem of hacking smart-home systems through the devices connected to them. “Sadly, the security of many smart-home devices is not good,” said Ken Munro, a consultant with Pen Test Partners. “In some cases, a hacker could use vulnerabilities to compromise the owner’s home, their data and sometimes even to spy on their families.”
Balboa said it is working to further secure the system by requiring the homeowner to create a personal username and password. The manufacturer expects to upgrade the app by the end of February.
