Trustwave flushes out Android app-enabled toilet hack risk

Security researchers claims hackers could use app to remotely control toilet's functions.

Security researchers have discovered a vulnerability in an app used to control a luxury toilet that allows hackers to take control of the lavatory's functions.

The flaw was discovered by security firm Trustwave in the Inax's Satis automatic toilet, which uses an Android app to controls the cistern's functions via Bluetooth.

The "My Satis" Android application has a hard-coded Bluetooth PIN of "0000". The firm warned users the flaw could allow hackers to use the "My Satis" app to control any Satis smart toilet.

"An attacker could simply download the 'My Satis' application and use it to cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner," said Trustwave's researchers in a security advisory.

"Attackers could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user," researchers warned.

Trustwave has made three attempts to contact the vendor about the vulnerability since the middle of June, and has warned users that no patch from the manufacturer has been issued. There are currently no known workarounds as researchers have nothing from the vendor to go on.

The security vendor has also flagged a vulnerability in a talking rabbit toy. Karotz, which is a Wi-Fi enabled device in the shape of a rabbit, can be controlled by hackers and video its surroundings.

The rabbit can be controlled using an API at api.karotz.com over plaintext HTTP, meaning the session token used to authenticate API calls can be stolen by an attacker sitting on the same network. 

"The session token can be used to perform any remote API call available to the application. For instance, if the application uses the webcam, a video could be captured using the webcam and sent to an arbitrary server," said Trustwave's researchers.

Featured Resources

Five lessons learned from the pivot to a distributed workforce

Delivering continuity and scale with a remote work strategy

Download now

Connected experiences in a digital transformation

Enable businesses to meet the demands of the future

Download now

Simplify to secure

Reduce complexity by integrating your security ecosystem

Download now

Enhance the safety and security of your people, assets and operations

Enable a true vision of security with an engineered solution based on hyperconverged and storage platforms

Download now

Recommended

'Largest ever' Magecart hack compromises 2,000 online stores
hacking

'Largest ever' Magecart hack compromises 2,000 online stores

15 Sep 2020
Infocyte integrates with Palo Alto Networks Cortex XSOAR
cyber security

Infocyte integrates with Palo Alto Networks Cortex XSOAR

19 Aug 2020
Andrew Daniels joins Druva as CIO and CISO
Cloud

Andrew Daniels joins Druva as CIO and CISO

22 Jul 2020
University of California gets fleeced by hackers for $1.14 million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020

Most Popular

Accenture ploughs $3 billion into cloud migration support group
digital transformation

Accenture ploughs $3 billion into cloud migration support group

17 Sep 2020
Google takes on Zoom with launch of Meet hardware
video conferencing

Google takes on Zoom with launch of Meet hardware

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020