Security IS Fun! Hack A Toilet Or A Robot Rabbit!

Thomas Brewster,

If hacking toilets and a talking electronic rabbit doesn’t get kids excited about IT security, then nothing will, says Tom Brewster

Well, if the world needed a news story to get kids excited about IT security, it arrived four days ago. Nope, it’s not some massive, government-sponsored attack. It’s news that a toilet and a talking rabbit can be hacked. The ramifications could and should be seriously funny (not that I would ever condone any of the following ideas… maybe).

Trustwave reported on 1 August that the Satis Toilet created by Japanese firm Lixil contained a vulnerability that meant anyone who had the My Satis app could do a whole host of nasty things. And, remembering those distant teenage years, kids love to mess around with toilets.

Toilet trouble - Shutterstock - © Phil McDonaldToilet trouble

“Any person using the ‘My Satis’ application can control any Satis toilet. An attacker could simply download the ‘My Satis’ application and use it to cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner,” Trustwave said in its advisory, noting it had not received a response from the toilet maker.

“Attackers could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user.”

Remember watching Jackass and Bam Margera attacking his dad on the bog? Well Margera, and any kid wanting to copy that trailblazer of family dysfunction, can now mess with their parents without even having to enter the bathroom. Activating the bidet function has the biggest fun-time quotient.

The fun needn’t stop there. If you know anyone with a Karotz Smart Rabbit (and let’s face it, who doesn’t, right?), you can hack that talking rabbit and start videoing the owner. A little context first: Karotz is an internet-connected “smart rabbit” that can play music through its built-in speaker, read Facebook posts, take pictures or video, amongst a host of stuff. It’s made by the developer Violet

karotz smart rabbitThis cute little thing can be controlled through an api at api.karotz.com, but the problem is all this is done over plaintext HTTP, meaning the session token used to authenticate API calls can be pilfered by an attacker sitting on the same network. “The session token can be used to perform any remote API call available to the application. For instance, if the application uses the webcam, a video could be captured using the webcam and sent to an arbitrary server,” Trustwave said.

That means you could really freak people out by making Karotz do weird stuff, or just spy on people. Cute.

If this stuff doesn’t interest kids in security, then there is no hope. We’re pooped. Just like people sitting on hacked lavatories.

What do you know about Internet security? Find out with our quiz!