October 8, 2013

Hacking A…Toilet


Go ahead and add toilets to the increasingly long list of hackable consumer devices we’ve been compiling here on the Kaspersky Daily.


In fact, one of the researchers at this year’s Black Hat security conference touched on the subject briefly in a press conference at the event. While I would have loved to have written about it at the time, I ultimately decided to focus on more impactful stuff, but I made a mental note and promised myself that I would come back to it.

Some researchers from Trustwave, an application security firm, issued a security advisory back in August, warning users that the SATIS smart toilet Android application contained a hard-coded BlueTooth verification pin. The pin is “0000,” and entering it could allow an attacker within BlueTooth range to manipulate some of the toilet’s features. Once that pin is entered, one Android device can communicate via BlueTooth with any number of Satis smart toilets in range.

In brief, owners of these smart toilets are exposing themselves to serious practical joke- and unfortunate accident-related risks.

It’s not exactly hacking an insulin pump or a car, but a remotely triggered toilet malfunction sounds pretty awful to me.

More specifically, an attacker, if one ever desired to do so, could install the “My Satis” app, enter the BlueTooth pin, pair their device with however many Satis smart toilets are within range (and let’s be honest: if you have one Smart toilet, you have multiple smart toilets), and launch a handful of attacks ranging from the marginally troubling to the outright devastating. The attacker could – in Trustwave’s words – “cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner.”

More concerning yet (at least to me), an attacker could compel the Satis smart toilet’s lid to open and close or even activate the bidet or air-dry functionalities – again, in Trustwave’s words – “causing discomfort or distress to user.”

It’s not exactly hacking an insulin pump or a car, but a remotely triggered toilet malfunction sounds pretty awful to me.

I am not sure what you can do to protect yourself on this one. It appears that the company that develops the Satis smart toilet, LIXIL, has not yet fixed this bug. I guess you send them a barrage of emails demanding they do so, that’s one option. These toilets also have a thing called “pairing mode” apparently. The guys at Trustwave say that the hard-coded pin and the Android app will only work if the toilets have this “pairing mode” feature enabled. They say you could still cause a toilet to pair with an Android device even if pairing mode is off, but this would only be possible “by observing Bluetooth traffic to learn the toilet’s hardware address and pair with the toilet,” and that sounds pretty complicated. So, on one hand, it’s probably a pretty good idea to turn off pairing mode, but, on the other hand, what is the point of owning a smart toilet if you can’t send it commands from your mobile device. It’s a complicated world…

I can’t say for certain, there are a lot of strange people out there after all, but I have to think most Satis users will be safe from these attacks – given there aren’t too many pranksters in the house. There isn’t much monetary incentive to turn on the bidet when someone is using the toilet. The hard reality here is that Satis users are just going to have to live the fact that multiple Android devices can communicate with a single toilet, allowing pretty much anyone within range to accidentally (or not-so-accidentally) initiate one of the toilet’s features through the My Satis app on his or her Android device.