The Smart Toilet Security Hole

A security hole in the Satis smart toilet could result in an unpleasant experience for users.
A security hole in the Satis smart toilet could result in an unpleasant experience for users.

Technology continues to expand at a blistering pace. Every gadget you can buy seems to have a ‘smart’ version that you can purchase for your home. Appliances of all kinds are internet connected and can be controlled by apps, perhaps the craziest of which is produced by the Japanese company Lixil. The Satis, a smart toilet that retails for around $5,700 has a flaw with its app that results in a certain security hole that has the potential to surprise its users.

The luxury toilet is designed to allow users to control almost every aspect of the toilet via a smartphone app called My Satis. Users are able to open and close the lid, flush, bidet, hot-air blower, and even play music and release fragrance from their cell phone. The app gets incredibly personal, even allowing users to store records of their bowel movements. Connected to your phone via Bluetooth, it is supposed to be the ultimate in bathroom experience.

A video on how the My Satis app is supposed to interact with your smart toilet can be seen below. Although it is in Japanese, you can at least gain an understanding of how the features should work by watching.

However there is a flaw that creates an unexpected security hole in the luxury toilet. Every toilet is pre-programmed with a hardwired pin code of 0000. That code cannot be reset, and being the same on every single model, enables anyone with a smartphone to download the My Satis app and hack control of your toilet.

After discovering the weakness in their products security, Lixil released a report on the matter. “An attacker could simply download the My Satis application and use it to cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner,” they said.

The security risk may not seem like a serious concern, however should you own a smart toilet such as this you would certainly not want to worry about “attackers [causing] the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to [the] user.”

Although the range of the Bluetooth connectivity is relatively small, meaning that anyone looking to exploit this vulnerability would have to be near your smart toilet to do so. An active range estimated at 30 feet would mean that a hacker would most likely have to be on your property in order to wreak havoc on your toilet. Prankster friends and upset spouses could capitalize on the security lapse and make your life a little less pleasant however.

Security expert Graham Cluely summed up the potential security hole in the smart toilet to the BBC. “It’s easy to see how a practical joker might be able to trick his neighbours into thinking his toilet is possessed as it squirts water and blows warm air unexpectedly on their intended victim, but it’s hard to imagine how serious hardened cybercriminals would be interested in this security hole,” he explained.

“Although this vulnerability seems largely harmless, what’s clear is that companies building household appliances need to have security in mind just as much as computer manufacturers,” Cluely added.

Laxil has not announced any plans to fix the security hole in its smart toilets, potentially due to the difficulty of updating toilet software. Although Satis has the potential to be the ultimate bathroom experience, the ease of hacking into it paired with the lack of actual levers on the unit make it a questionable purchase. Imagine if your phone died and you were unable to flush, design flaws such as this make waiting for the second generation a logical decision.

Follow me on Twitter @CharlieGille

The Guardian Express

Leave a Reply

Your email address will not be published.