Trustwave flushes out Android app-enabled toilet hack risk

Security researchers claims hackers could use app to remotely control toilet's functions.

Security researchers have discovered a vulnerability in an app used to control a luxury toilet that allows hackers to take control of the lavatory's functions.

The flaw was discovered by security firm Trustwave in the Inax's Satis automatic toilet, which uses an Android app to controls the cistern's functions via Bluetooth.

The "My Satis" Android application has a hard-coded Bluetooth PIN of "0000". The firm warned users the flaw could allow hackers to use the "My Satis" app to control any Satis smart toilet.

"An attacker could simply download the 'My Satis' application and use it to cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner," said Trustwave's researchers in a security advisory.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"Attackers could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user," researchers warned.

Trustwave has made three attempts to contact the vendor about the vulnerability since the middle of June, and has warned users that no patch from the manufacturer has been issued. There are currently no known workarounds as researchers have nothing from the vendor to go on.

The security vendor has also flagged a vulnerability in a talking rabbit toy. Karotz, which is a Wi-Fi enabled device in the shape of a rabbit, can be controlled by hackers and video its surroundings.

The rabbit can be controlled using an API at api.karotz.com over plaintext HTTP, meaning the session token used to authenticate API calls can be stolen by an attacker sitting on the same network. 

"The session token can be used to perform any remote API call available to the application. For instance, if the application uses the webcam, a video could be captured using the webcam and sent to an arbitrary server," said Trustwave's researchers.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020