Security experts at Pen Test Partners have discovered thousands of connected hot tubs are vulnerable to remote cyber attacks. Pen Test Partners, the UK security company that carried out the research, wrote: “Like most internet of things devices, the Wi-Fi module acts initially as in AP mode. The mobile app can connect as a client and control the tub locally. However, it can also configure the tub controller to be a client on your home network, so remote control from anywhere is possible through an API. The AP is open, no PSK, so anyone can stand near your house, connect their smart phone to your hot tub and control it. Your friendly neighbourhood hacker could control your tub.”
Pen Test Partners e-mailed the manufacturer, Balboa Water Group, already in November 2018. The manufacture promised a fix by the end of February 2019.
Read more about it here.