VirtualThreat Contributing Writer
When it comes to online privacy we generally think of things like our favorite social networking sites, mobile phones, chat records, email, etc. Now, experts have uncovered a new security flaw that makes toilets vulnerable to hackers.
Trustwave, an information security company, recently published a security advisory reporting a vulnerability in the Satis “smart” toilet, manufactured by LIXIL Corporation. The Satis toilets are controlled with an Android app called “My Satis”, which communicates with the toilets over Bluetooth. The vulnerability lies in the fact that the Bluetooth PIN is hard-coded to “0000.” With that information, a hacker would only need to download the “My Satis” app, then pair his mobile device to the toilet using the default code of “0000” and he would have full control of the toilet’s functionality.
The mobile app can control functions of the toilet such as flushing and playing ambient music. Can you imagine sitting on the toilet trying to take care of business and along comes a series of rapid, loud flushes mixed to the music of AC/DC’s Thunderstruck playing at full volume? Sure, its not your average high-security cyber attack but it might tend to freak out the average Joe.
Trustwave reports “Attackers could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user.”
As of this writing there is no current patch to fix this issue, nor has the manufacturer, LIXIL, replied to any requests for comments.
This is a real-life security issue, but I think milk just came out of my nose when I laughed so hard while thinking of the mayhem a malicious hacker might cause with this vulnerability :-). A question comes to mind almost immediately though. Who really needs a remote controlled toilet anyway?
Let me know what you think in the comments below!
About the author…
This article is offered under Creative Commons license. It’s okay to republish it anywhere as long as attribution bio is included and all links remain intact.