If you want a classic example of what’s wrong with the approach to IoT security being taken by manufacturers of consumer devices, look no further than the Balboa hot tub.
There’s no end of stories about consumer devices being produced with communications capabilities and little or no access protection. Many of these – such as communicating toys — are very low cost, mass-produced devices. That’s really no excuse, but when the manufacturer of an up-market piece of consumer gear costing several thousand dollars displays a similar cavalier attitude to security, it’s a whole different story.
The saga of the hackable hot tub was revealed by UK security services company PenTest Partners and is detailed in a post on its website. The manufacturer, US based Balboa Water Group, then compounded its transgression by failing to respond to the issue when alerted by PenTest, until contacted by the BBC at PenTest’s request. That approach produced a response within the hour!
Balboa’s smart hot tub comes with an inbuilt WiFi access point and a smartphone app that enables the user to turn it on and off, control the temperature and the pumps.
It can also be configured so that the access point becomes a WiFi client device enabling the app to control the hot tub via the internet and the home’s WiFi network from anywhere in the world.
A totally open WiFi access point
PenTest found there was zero security in access point mode so that anyone with the app and within WiFi range could take control. In WiFi client mode the situation was little better.
PenTest explains that Balboa uses the iDigi Device Cloud to authorise user access. The iDigi Device Cloud is a public cloud platform-as-a-service (PaaS) that provides application integration with device networks. It claims to be able to connect any application, anywhere, to anything, anywhere.
Trouble is, as PenTest discovered, Balboa has used static credentials in iDigi, ie the same username and password for every smart hot tub. Connection to a specific hot tub requires a means of identifying it but that’s there as well: its mac address padded out with a few extra bytes.
There’s a website, https://wigle.net, that enables you to locate any WiFi access point worldwide. PenTest has helpfully provided a search to enable you to find all the smart Balboa hot tubs that users have left in access point mode (You need to register with wigle to use it).
I was able to identify the locations of 283 such Balboa hot tubs in Australia.
Ease of use prioritised over security
Balboa told PenTest that it had not implemented user accounts for “ease of use”, and that the static password was also a conscious choice.
In other words the company sees no consumer demand for device security and until that demand emerges, or there is regulatory pressure, the situation seems unlikely to change.
At the very least consumers should learn to be very wary of anything they can connect to without creating their own username and password but that also seems unlikely, in the short term at least.