Information Security News
by Sean Gallagher
Information security firm Trustwave has reported a potential cyber-attack vector to a device you may have never expected the phrase "security vulnerability" would be applied (other than in reference to the end of a toilet paper roll, that is). In an advisory issued August 1, Trustwave warned of a Bluetooth security vulnerability in Inax's Satis automatic toilet.
Functions of the Satis—including the raising and lowering of its lid and operation of its bidet and flushing nozzles—can be remotely controlled from an Android application called "My Satis" over a Bluetooth connection. But the Bluetooth PIN to pair with the toilet—"0000"—is hard-coded into the app. "As such, any person using the 'My Satis' application can control any Satis toilet," the security advisory noted. "An attacker could simply download the 'My Satis' application and use it to cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner. Attackers could cause the unit to unexpectedly open/close the lid, [or] activate bidet or air-dry functions, causing discomfort or distress to user."
And you thought the only thing you had to worry about was dropping your phone into the toilet.
I saw a somewhat "odd" alert today hit this web server, and am wondering if there are any circumstances under which this attack would have actually worked. The full request:
I broke the request up into multiple lines to prevent an overflow into the right part of the page, and I obfuscated the one embeded URL.