Skip to Content
Security & Privacy

Security flaw in this smart appliance’s software leaves owners in hot water

The smart home revolution is in full gear and smart gadgets like smart speakers, smart plugs, smart light bulbs, thermostats, cameras and door locks are poised to take over the consumer market in the next few years.

In fact, research from MarketsAndMarkets is projecting that the smart appliances market will be worth $37.2 billion by the year 2020!

Connected smart appliances can definitely make life more convenient, but here’s one big problem – plenty of consumers still treat these gadgets like your typical set-and-forget, plug-and-play appliances.

And scarier still,  for many manufacturers, the security of these gadgets is still an afterthought. As we keep reminding you, these terrible assumptions can lead to a whole bunch of disastrous consequences.

Read on and learn why the holes of this whole Internet-of-Things movement need to be addressed and what you can do about it in the meantime.

This smart hot tub has holes

A security hole in this line of smart hot tubs could potentially allow hackers to take control of them remotely. Why is this critical? Well, it underlines the risks inherent in connected appliances and how manufacturers should prioritize their security above anything else.

In a BBC video demonstration provided by Pen Test Partners, security researchers revealed how an attacker can make the tubs colder or hotter, control the pumps and modify the lights through a computer or a smartphone without the owner’s knowledge.

Even worse, hackers can also gather a particular hot tub’s location by harvesting its GPS location data leaving the owner’s home more susceptible to a break-in.

The smart hot tubs, built by a company called Balboa Water Group (BWG), are designed to allow their owners to monitor and control them with the Balboa Water App, but a weak password system means a hacker can break into the app easily and even pinpoint a hot tub’s location by using its GPS data.

Smart appliances companies can do better

With this flaw now exposed out in the open, BWG has promised to revamp its security system and it will introduce stronger checks to its app by the end of February. BWG also said that its app has been available for five years in its current form without any issues and it was surprised to learn of the security flaw.

The company revealed that it was actually working with more than 1,000 hot tub owners in the UK to globally set up a system of individual usernames and passwords and secure the app.

However, it opted not to proceed with this plan to “allow for simple and easy use and activation” by the owners of the hot tub.

Ken Munro, the founder of Pen Test Partners, said that this decision was irresponsible since it took away “consumer choice and a users’ right to privacy and security.”

The cybersecurity firm also warned that the hot tubs are not the only smart home appliances that are at risk.

Munro said that even though BWG’s security issue is not the most critical Internet-of-Things vulnerability in the world, it was still worth bringing to the public’s attention.

Since plenty of Christmas gifts this year will have some sort of smart functionalities and can be connected to the internet, Munro recommends that consumers reset any default passwords these gadgets may have and change them to unique ones.

“Manufacturers still are not taking security seriously enough, and until they do consumers have to be very vigilant,” Munro explained.

Got a smart device as a gift? Be smart about it

  • Manage it – So do yourself a favor, if you received a smart gadget as gift, immediately check its manual if it has a web management interface. Most of the time, you can access this interface via a regular web browser, desktop software or an app.
  • Change password – Once in, please change the default password immediately with something strong and unique. This will immediately protect you from the simplest “scan and search” Internet-of-Things attacks out there. Note: If you don’t have the manual or the default password, do what the researchers did – Google it!
  • Connect to the internet only when needed – Another way to protect your smart gadget is by connecting it to the internet only when necessary. For example, baby monitors, thermostats and security cameras can still be used effectively within your home network, without exposing them to the public.
  • Avoid second-hand products – Also, beware of buying second-hand smart gadgets that may already have been compromised. If you do, reset it promptly to factory default then change its password.
  • Avoid unknown brands – And lastly, only buy from established and reputable brands. If a security camera is from an obscure Chinese company with no reputable online presence at all, please stay away from it. The prices of these off-brand gadgets may be relatively cheaper but most of the time, you do get what you pay for.

Hopefully, more smart appliance manufacturers will improve their products’ software rather than assume that owners prefer convenience over security.

Perhaps, a simple user password change prompt during the setup process will be enough to prevent most of these attacks, don’t you think?

Komando.com App background

Check out the free Komando.com App!

Get the latest tech updates and breaking news on the go, straight to your phone, with the Komando.com App, available in the Apple Store and Google Play Store.

Download Now