Skip to comments.Hard-coded PIN vulnerability found in smart toilets
Posted on 08/06/2013 2:22:56 PM PDT by Red Badger
Security experts are warning us all over the place. The digital life used to be a cubicle and workstation. Now it's well, life. Everything is connected, and Internet is everywhere. That means criminal intruders along with pranksters can also broaden their reach from computer malware to home connections such as smart appliances and meters. Last week, there was one more proof that this was so: According to a warning by the information security firm Trustwave, a Satis-brand toilet by the Japan-based company Lixil can be controlled remotely by an Android app.
According to Daniel Crowley a managing consultant with information security firm Trustwave SpiderLabs, the vulnerability could allow a prankster to outsmart the toilets. The firm posted a warning on August 1 that a luxury brand of toilets that carry a smartphone app for controlling the smart features of the toilet can be commandeered by an outside invader. These toilets can communicate with the phone app through Bluetooth and therein lies the problem.
The Satis smart toilet, said the advisory, is controlled using the app My Satis. This Android application has a hard-coded Bluetooth PIN of "0000" and any person using the application can control any Satis toilet by downloading the app and entering the "0000" PIN. An attacker could cause the toilet to flush repeatedly. This would in turn raise water usage and for those who pay water bills could see an increase in costs on their utility bills.
Attackers could also cause the unit to unexpectedly open and close the lid, activate the bidet or air-dry functions. Depending on age and mental status, these acts could not be so funny and could cause fear or general distress, even though the damage is not lethal. According to Trustwave, the manufacturer was notified about the vulnerability.
The Satis line of luxury toilets may cost anywhere from $2,385 to $4,657 depending on the model. They are loaded with features such as automated lids that open and close, heated seats with temperature control, sprays, music, and deodorizers. The line offers a bowel-movement tracker for those concerned with monitoring their health. At the end of last year, Lixil announced that in 2013 it was to add something even smarter, a series of toilets that can be controlled by smartphone.
They said that the My Satis Android app, which communicates with the toilet using Bluetooth, enables the user to operate its various functions using a handset.
News of the vulnerability has attracted many jokes and snarky metaphors. Apart from entertainment value, though, the story is worth noting because the security firm flagged a situation where a household fixture with a live connection to a smartphone can be exploited.
Interestingly, among the recent Black Hat 2013 presentations was one about "home invasion" where Crowley took part, and it had to do with network-connected devices used in homes posing security risks.
"Once upon a time, a compromise only meant your data was out of your control. Today, it can enable control over the physical world resulting in discomfort, covert audio/video surveillance, physical access or even personal harm," said the presentation notes.
An app that directly competes with Facebook.
I’ve heard of sitting on pins and needles butt this is ridiculous.
Why do we need smart potties?
Imagine in a power outage. Even the potty doesn’t work. Insanity.
Why would anybody want a toilet they can flush with their smartphone in the first place?.......
I WANT one of these smart toilets. I do.
I’ll just press a button on my phone app and BINGO!
All Wiped Up.
The NSA is all over this...
This begs the question of why it is important to have a smart phone-controlled pooper.
For dumb sh!ts.......
Smart toilets take Butt-Dialing to a whole new level - ping.
Everybody be careful, I have one of these and had some issues. I was sitting on the toilet doing my business when I decided to activate the toilet app with my cell phone. I had toilet paper in one hand and my phone in the other. I went to put my password (My password is poopoo, how clever is that?) in my cell phone but wait a minute, this hand has the toilet paper. This could only mean one thing, the cell phone is in my ass. Yes, some ass has my cell phone. I put the phone in a zip lock bag and took it to the Apple store and told them, “I don’t know what happened, it just stopped working”. If you can believe it, I now have to operate the toilet manually until I get my phone back, How stupid is that, what am I a cave man or something?
Time for Hollywood to remake No Time for Sergeants.
The line offers a bowel-movement tracker for those concerned with monitoring their health.
Great, now my doctor and the IRS will think I go to the bathroom every 30 seconds because the neighbor kid hacked my toilet.
What is it with the Japanese and toilets?
So, I go to the bathroom in the airport. What is the story on the sinks in airport bathrooms, that they will not give us a twist-it-on twist-it-off, human-style faucet? Is that too risky for the general population? Too dangerous? We gotta install the one-handed, spring-loaded, pain-in-the-ass Alcatraz-style faucet. You know, those ones you gotta go: "Hey I got a little water there" "Hey I got a couple of drops."
What is it they think we would do with a faucet? Turn them all on full, run out into the parking lot laughing, pushing each other into the bushes?
"Come on, the water's on, let's go! I turned it on full blast!"
"You idiot! We're businessmen - we're gonna miss our plane."
"Who cares? Water!"
That's how they think we're gonna act.
-- Jerry Seinfeld, I'm Telling You For The Last Time
THERE’S AN APP FOR THAT..
I’m surprised that it doesn’t intentionally let you sync up with your phone via bluetooth as a sanitary measure. People could request features with their phones rather than touch a common panel on the wall. It would have to figure out a way to make sure you sync up with the right phone instead of the one held by the person in a nearby stall.
The possibilities are endless. Yelp could confirm that you really did eat at the restaurant on which you just passed commentary. Walgreens could determine if you are a good candidate for stool softener coupons. ...
A toilet with video uplink yo YouTube..........
Unless there is a camera somewhere in there or you need to pay to flush (and ostensibly have stored your credit card information in your toilet) at home...what would a criminal possibly gain by hacking your toilet, other than a harmless prank?