Toilet hackers could snoop on your poop, steal data of a "personal nature" [VIDEO]

SATIS Android appJoe Orton described the men's room as the "last bastion of male privilege", but a vulnerability in luxury lavatories discovered by security researchers suggests that you may not be as safe and secure in the smallest room of your house as you might have imagined.

Indeed, not only could hackers take remote control of your loo - causing it to unexpectedly flush or close the lid at inopportune moments - but they could also be snooping on your pooping.

If you aren't of a delicate disposition, read on...

One of the pleasures of visiting Japan is to encounter the high-tech lavatories.

Toilets in the country are often brimming with bells and whistles, allowing you not only to listen to your favourite Rolling Stones tracks while you drop the kids off at the pool, but also to adjust the seat temperature, give you an integrated bidet-style rinse, dry you with warm air, and deodorize whatever remains.

As you can see from the following promotional video for the Satis luxury toilet, the array of options can be quite bewildering to those of us who have never experienced such restroom complexity in the past.

However, there's bad news just over the horizon.

As BBC News reports, the Satis toilet manufactured by Japanese firm Lixil has an embarrassing security problem.

The toilet, which can sell for up to $5,686 (£3,821), can be controlled by an Android app called "My Satis".

The app allows you to perform a number of functions, communicating with the lavatory via Bluetooth. However, because the Bluetooth PIN is hardcoded to "0000", anyone who has the app installed can send instructions to the luxury toilet, say researchers at Trustwave:

As such, any person using the "My Satis" application can control any Satis toilet. An attacker could simply download the "My Satis" application and use it to cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner.

Attackers could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user.

The good news is that this vulnerability lies in how the Android app communicates with the smart toilet over Bluetooth - which means any mischief-maker would need to be sitting within about 30 feet to hijack your loo.

Defecation diary in My Satis appSo, a practical joker in a high-rise apartment in Tokyo might be able to freak out his close neighbours by squirting water unexpectedly or slamming down the toilet seat, but it's hard to imagine how serious hardened cybercriminals would be interested in this security hole.

Although many of the media reports have focused on the comedy elements of what a hacker could do with a hijacked loo, there is actually the opportunity for hackers to steal information as well... information of an... ahem... very personal nature.

I used Google to translate the Japanese-language description of the app:

"To record on the calendar defecation situation daily, it is possible to health care is "toilet diary". You can see at a glance enjoyable health state of each month by recording the bowel movement. Defecation record is a simple operation to choose from on the screen shape, color, and health status."

Quite why anyone would want to steal information like that is a question I leave for the reader to answer, but it's clearly a gross invasion of privacy.

More and more everyday household goods are having computer technology integrated into them, as their manufacturers attempt to differentiate themselves from their bog-standard competitors with bells and whistles.

Trustwave says that it contacted the toilet manufacturer on three occasions in the last two months, to advise them of their security blunder - but has received no response.

Although this vulnerability seems largely harmless, what's clear is that companies building household appliances need to smarten up about security rather than just racing to implement features that users may not actually need or want.

Tags: , , , , , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , , , , , ,

4 Responses

  1. spryte

    August 5, 2013 at 3:51 pm #

    As a Crohn's sufferer I can see the value of keeping a 'Diary'…

    Perhaps more targeted spam for some 'Miracle' cure is the object here for those suffering from IBD/IBS (or other digestive issues)??

  2. Stew Green

    August 5, 2013 at 4:50 pm #

    How do you know if you have been hacked ?

    .. go back and check the logs !

    • Stew Green in reply to Stew Green.

      August 5, 2013 at 4:54 pm #

      Graham isn't stopping these hackers … your jobbie ?

Leave a Reply