August 8, 2013

Perhaps They Should Have Tested More - Lixil's Satis Toilet

Not actually the Satis toilet
(But probably not subject to being hacked, either)

Retailing for over $4,000, the Satis toilet manufactured by Japanese firm Lixil is state-of-the-art in every way. Features include: copyrightjoestrazzere
  • automatic flushing
  • music
  • deodorizing fragrance release
  • a heated seat
  • a massage feature (hmm, I'm not sure I want to know more about this)
  • soft lighting
  • a bidet function
  • the ability to be hacked from any android phone with bluetooth capability

Call me a Luddite, but to me, controlling my toilet via an Android app doesn't seem like the smartest idea anyway. Do people really want to track their poop? Then, to use a hard-coded Bluetooth PIN of "0000" means that clearly someone wasn't thinking this one through to its logical conclusion.

According to Trustwave's Spiderlabs information security experts:
The "My Satis" Android application has a hard-coded Bluetooth PIN of "0000"
as can be seen in the following line of decompiled code from the
BluetoothDevice localBluetoothDevice =
BluetoothManager.getInstance().execPairing(paramString, "0000")
I can just see it now. Toilets gone wild! Unexpected bidet action... overpowering fragrance... constant flushing... overheating... overly aggressive massage (hmm)... poop counts through the roof... the mind boggles!

The message is clear folks: If you are going to open up your device to external control (via Bluetooth, or via the Internet, whatever), you need to take security seriously.

Before they get too flushed with success, piss away their profits, or start to see any corporate goodwill go down the drain, perhaps Lixil needs to invest in some Google-style "Testing on the toilet" here?

I shudder to think what the onrushing "internet of things" will bring!

See also:

No comments:

Post a Comment