CISO Update #50
Our 50th Edition: Weaponized Hot Tubs, Part 2
This is our 50th CISO Update. Each month over the last four years, we’ve published installments in this series of articles, sometimes to educate, sometimes to amuse, but always to underscore the importance of cybersecurity and to give the FIT community concrete examples of steps they can take to be more cybersafe. In the wild, often bizarre world of information security we are confident that there will be at least another 50 topics to discuss. We hope you find them interesting and useful.

Of all the things I thought I’d have to worry about in the world of information security, from ransomware to nation-state actors to cyberwarfare, I never thought that hackable hot tubs would be a recurring theme, but here we are. In our neverending focus on badly secured IoT devices, a couple of years ago we did an article about how attackers had been able to break into Wi-Fi-connected hot tub controllers to steal personal data, discover when owners were home and away, and join users’ unsecured Wi-Fi networks. Well, apparently Jacuzzi didn’t get the email. Last month TechCrunch reported that the application that controls hot tubs made by Jacuzzi, one of the largest manufacturers of home spas, is vulnerable to being hacked.

What does this mean? At first glance not much, although someone with a sense of humor could harass their neighbor by turning their Jacuzzi on and off, changing the color of the lights, etc. More important, the vulnerable app exposes information like usernames, email addresses, spa models, and serial numbers, allowing an attacker to send a very convincing phishing email to unsuspecting spa owners. For example: “Hello Ms. Smith. We at Jacuzzi are concerned about your satisfaction with your model 123 spa. Please click here to take a short survey for a chance to win $100 in pool chemicals.” The click could download malware and then from the hacker’s perspective it’s game on.

The truly annoying thing about this is that, just like the case of the genetic sequencing device we studied in June, Jacuzzi is a big enough company to know better, and as you’ll read in the article cited above, they were very slow to react even after they were notified of the vulnerability.  

What can you do?  

If these bullet points look familiar, they are repeated from the June CISO Update, but they apply to this case as well.

  • Don’t put devices on the internet when there’s not a good reason to do so. Do you really need remote control of your hot tub?

  • Don’t buy devices that don’t have passwords, ways to change default IDs, and methods to update software as needed. Demand more from the people who want to sell you things.

  • Once you’ve bought devices that allow you to change passwords and update software, do so. Subscribe to the vendor’s security update service so you get notified when software patches come out.

    The IoT has changed our lives, from wonderful conveniences to life-saving medical devices. Let’s do what we can to make it cybersafe.

About Cybersafe
The Division of Information Technology is dedicated to informing the community of the latest cybersecurity threats. Visit and stay tuned for emails from for the latest from the Cybersafe campaign at FIT. Read past issues here.