Do you remember the Android controlled toilet we reported on a few months back? Well it looks like the best seat in the house might not be so secure after all. There’s a fatal flaw in the Bluetooth connectivity of the Satis “Smart Toilet” that leaves you vulnerable to hackers when you’re in your most vulnerable position.
The Satis toilet comes with an accompanying Android app called My Satis, that allows you “log in” to check on important things such as water and energy consumption. The app also allows you to control the toilet’s many functions, while you work on your own.
Now Security firm Trustwave has blown the lid off of a major flaw in the Satis’ security. The toilets can be controlled using the Android app, but the Bluetooth PIN is hard-coded to “0000.” This opens up a backdoor to anyone within Bluetooth range of your back door. Because this toilet has so many features, potential attackers could “unexpectedly open/close the lid, activate bidet or air-dry functions,” Trustwave warns.
As such, any person using the “My Satis” application can control any Satis
toilet. An attacker could simply download the “My Satis” application and
use it to cause the toilet to repeatedly flush, raising the water usage and
therefore utility cost to its owner.
Attackers could cause the unit to unexpectedly open/close the lid, activate
bidet or air-dry functions, causing discomfort or distress to user.
The company behind the Satis, Japan’s Lixil, has yet to comment on the security issue. But the hard-hitting reporters at the BBC, who first pinched off the story, tracked down security expert Graham Cluley. Mr. Cluley took pains to wipe away our fears:
“It’s easy to see how a practical joker might be able to trick his neighbours into thinking his toilet is possessed as it squirts water and blows warm air unexpectedly on their intended victim, but it’s hard to imagine how serious hardened cybercriminals would be interested in this security hole.”