Beware Japanese toilet hacked by a smartphone

Japanese toilet hacked by Android app

A group of security experts are warning users of a luxury toilet that can be controlled by smartphone of a potential security threat that lets the toilet be controlled by other smartphone users.

The Satis toilet, which retails for almost £4,000 offers a number of features that can be operated via a smartphone app, including flushing, music, a bidet spray and the release of scented perfume.

The toilet, which is manufactured by a Japanese firm, is controlled by an app for Android smartphones, however experts have discovered that any phone with the app installed could be able to activate any of the toilets.

The report comes from security experts at Trustwave's Spiderlabs. Bluetooth is used to make a connection between the toilet and the smartphone, with a pin code put in place for protection. However, the pin code is hardwired to four zeros for all units; this means the pin code cannot be reset, and is therefore able to be activated by any phone that has the My Satis app installed.

The report states: “An attacker could simply download the My Satis app and use it to cause the toilet to repeatedly flush, raising the water usage and therefore adding costs for the utility to the owner. Attackers could also cause the unit to unexpectedly open and close the lid, or activate the bidet or the dry air features, causing discomfort or distress to the user.”

As the product uses Bluetooth, any potential attacker would need to be within close proximity to the toilet to interfere with its usage. So less likely a malicious attack, more likely a disgruntled child or mischievous family member or neighbour playing a practical joke on the toilet user.

Whilst the potential problems caused by this vulnerability are more likely to cause embarrassment than harm its a reminder to manufacturers of smart connected home utilities to be more security aware. Spiderlabs have notified Inax, the toilet manufacturer about the problem, but have not yet heard back from them. We hope their offices havent been hacked...