High-Tech Toilet Vulnerable to Easy Security Hack

Dennis Faas's picture

Those people who paid more than $5,000 for a high-tech 'smart' toilet could be in for a shock. A major design flaw means it's easy for hackers to cause annoyance, irritation -- even financial loss.

The Satis toilet boasts a wide range of computerized features, such as an automated bidet and air drier and built-in speakers that play a personalized selection of music. The toilet can even be programmed to release a soothing fragrance.

Owners control these features using a special app for Android devices (though it can also be controlled through buttons on the toilet itself). The app offers additional functions, such as tracking your daily usage of the toilet -- something that could be useful for monitoring certain health conditions. (Source: bbc.co.uk)

Predictable Pin Produces Potty Problems

However, researchers at security firm Trustwave say they've found a serious design flaw.

The app works by sending out a Bluetooth signal through a user's smartphone. Normally, when two Bluetooth devices try to connect, they need a common four-digit PIN code to 'pair' and begin exchanging information.

It turns out the Satis PIN code is hardwired to '0000' and cannot be changed by the user. This means anyone with an Android device can install the app, connect to the toilet, and then control it. (Source: trustwave.com)

This could allow someone to carry out rude and annoying pranks -- such as remotely closing the lid or activating the bidet spray.

Toilet Hacking Can Mean Huge Water Bills

At worst, it could allow a hacker to repeatedly flush the toilet -- something that would not only be a major annoyance, but could result in an expensive utility bill.

That said, hacking through the Satis' Bluetooth connection does require a physical presence. That means an attack would require the hacker be within 60 to 100 feet of the toilet.

Trustwave says that, since mid-June, it has made three attempts to inform Satis about the flaw. However, the firm hasn't responded to Trustwave, nor has it publicly commented on the issue.

| Tags:
Rate this article: 
No votes yet