Pricey ‘Smart’ Toilets Vulnerable To Hacking

Pricey 'Smart' Toilets Vulnerable To HackingA luxury toilet controlled by a smartphone app is vulnerable to attack, according to security experts.

‘Hardware flaw’

Retailing for up to $5,686 (£3,821), the Satis toilet includes automatic flushing, bidet spray, music and fragrance release. The toilet, manufactured by Japanese firm Lixil, is controlled via an Android app called My Satis. But a hardware flaw means any phone with the app could activate any of the toilets, researchers say.


‘Can be activated by any phone’

The toilet uses bluetooth to receive instructions via the app, but the Pin code for every model is hardwired to be four zeros (0000), meaning that it cannot be reset and can be activated by any phone with the My Satis app, a report by Trustwave’s Spiderlabs information security experts reveals.

“An attacker could simply download the My Satis application and use it to cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner,” it says in its report. “Attackers could [also] cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to [the] user.”

The limited range of bluetooth means that anyone wishing to carry out such an attack would need to be fairly close to the toilet itself, said security expert Graham Cluley.

How would you react if your toilet suddenly operated on its own? Should the Satis toilet be banned?

Source: Zoe Kleinman | BBC News

Image: For What It’s Worth

Android ‘Master Key’ Security Flaw Discovered

Android 'Master Key' Security Flaw DiscoveredA “master key” that could give cyber-thieves unfettered access to almost any Android phone has been discovered by security research firm BlueBox. The bug could be exploited to let an attacker do what they want to a phone including stealing data, eavesdropping or using it to send junk messages.

‘Loophole’

The loophole has been present in every version of the Android operating system released since 2009. Google said it currently had no comment to make on BlueBox’s discovery. Writing on the BlueBox blog, Jeff Forristal, said the implications of the discovery were “huge”.


‘Malicious changes’

The bug emerges because of the way Android handles cryptographic verification of the programs installed on the phone. Android uses the cryptographic signature as a way to check that an app or program is legitimate and to ensure it has not been tampered with. Mr Forristal and his colleagues have found a method of tricking the way Android checks these signatures so malicious changes to apps go unnoticed.

Any app or program written to exploit the bug would enjoy the same access to a phone that the legitimate version of that application enjoyed. The danger from the loophole remains theoretical because, as yet, there is no evidence that it is being exploited by cyber-thieves.

Do you think the discovery of this “master key” to Android is significant? Can Google find a way to remedy this loophole?

Source: BBC News

Image: UK Mobile Review