[theonealtair]

I went to use the app for my hot tub and put in the 6 digit pin, except the last number I put in was a 4 instead of a 3. It logged me in, but the temperature looked off, then I realized I wasn’t connected to my hot tub, it was someone else. Turns out the 6-digit pins are sequential. And this is from a billion dollar pool company.

[TheCoelacanth]

The S in IOT stands for security.

[Mountain_Skies]

My neighbor has never properly setup the internet connection on his hot tub. It's still in access point mode, waiting for anyone to connect and take control of it. Going to guess that it at least has manual controls on the hot tub itself. If he wasn't such a difficult curmudgeon to talk to, I'd warn him about it, but he'll probably just think I'm trying to sell him something.

[bombcar]

This is true across a frighteningly large swath of “quasi industrial home control” stuff - all the vulnerabilities of industrial controls with zero of the attention paid to it.

[conk]

What’s industrial home control?

[bombcar]

All the commercial stuff from before the Apple Home craze. Automated sprinklers, lighting, controls. It’s been out there since the 70s and got rudimentary internet access early on - and lots of it is very slapdash (underlying assumptions that everything is local wire or low range radio from before internet was slapped on).

[JoeyBananas]

That's incredible

[theonealtair]

The temp said 20° (which is impossible in my climate). Good thing I didn’t crank the heat up.