Hot tub maker Jacuzzi is in hot water after a cybersecurity researcher said he found vulnerabilities in its app that risk exposing user data and let hackers remotely control tubs.
Jacuzzi’s “SmartTub” app — which lets users control hot tubs’ temperature, lighting and jets from their phones — is vulnerable to hackers, according to a cybersecurity researcher who publishes under the pseudonym EatonWorks.
Eaton wrote that they were able to access personal information about Jacuzzi customers around the world, including contact information.
“Worldwide user data was exposed, which included first name, last name, and email address,” Eaton wrote in a blog post. “It would be trivial to create a script to download all user information. It’s possible it’s already been done.”
Eaton also told Vice that hackers could use the vulnerability to mess with hot tubs across the world.
“As for remotely controlling tubs, I think the worst you could probably do is turn the heat all the way up and change the filtration cycles,” Eaton said. “Then in a few days you could have a hot, stinky soup.”
Before publishing their findings, the ethical hacker wrote that they contacted a login company that works with Jacuzzi, Auth0, which fixed the vulnerabilities they flagged in June.
Eaton emphasized that they did not actually attempt to download user data or remotely change strangers’ hot tub settings.
Jacuzzi did not immediately respond to a request for comment from The Post.
[Written in collaboration with other media outlets with information from the following sources]
