Specifically, this blog post is about a smart toilet, the LIXIL Satis. Recently, this little commode made headlines because security researcher Daniel Crowley, of Trustwave SpiderLabs, published a security advisory related to it. Crowley’s advisory calls out the fact that the Satis uses a bluetooth passcode of ‘0000’ which is hardcoded into the device, and cannot be changed. The media have scooped up this little story and run mad with it. It’s everywhere. Everyone’s reporting this because they think it’s sensational.
I think they’re all wrong.
Lots of bluetooth devices use a hardcoded passcode of ‘0000.’ That doesn’t mean they’re all hackable. I will concede, using a passcode of ‘0000’ is pretty weak security, but just because this toilet uses it, doesn’t mean anyone can take control of it from outside the bathroom door.
Bluetooth devices need to be bonded before they will exchange data, and devices are bonded through a process called ‘pairing.’ Based on the advisory, the Satis would be classified as Limited Input device.
In the interest of full disclosure, I have not been able to put my hands on an instruction manual for the Satis, and I do not own one myself. I am assuming, at this point, that the toliet is NOT automatically in pairing mode, and that in order to bond it with your smartphone, you need physical access to both. If the above assumption is incorrect, and the Satis will pair with any nearby bluetooth device, I submit that THERE is the vulnerability, not the weak passcode.
The author’s position is that an attacker can pair their phone with the Satis and download the app, and once bonded, they can control the toilet and make someone’s life miserable. That’s hardly a hack, though – if you leave your phone with your kid while you’re in the bathroom, or your spouse is just plain evil, they can do exactly the same thing.
The luxury toilet community may breathe a sigh of relief, your throne is not as hackable as the Internet may lead you to believe.