Security Bottomed Out

If we haven’t all done it at one stage, then I’m confident we’ve all at least thought of doing it (obviously when I was younger…)

Picture the scene – you surreptitiously creep into the bathroom whilst no one is looking, pick up the toilet lid and gently cover the surrounding area with cling film which you have carefully cut just to the right size…

Creep out again and wait for the hilarity to ensue when the next unsuspecting family member needs a loo break.

Well, practical jokers of the digital age rejoice – there is now a much more efficient way to cause embarrassment amongst your loved ones.

This is this week’s story of the Satis toilet, manufactured by Japanese firm Lixil.  The toilet is flush with mechanisms such as a bidet spray, automatic flushing, fragrance release and even music to ‘set the mood’.  All these things are controlled by an Android app called ‘My Satis’ which even allows you to track your, er, ‘bowel movements’.

Pretty cool (and expensive – Satis toilets retail for £3821).  However, a fundamental hardware flaw means that anyone who has the app could potentially hack into the system and cause all sorts of mayhem – such as lowering and raising the seat at unfortunate moments, or activating the bidet spray at any given time.

This can not only affect the person who is trying to use the toilet at the time, but it could also cause significant maintenance damage to any home or business that has one.

Getting serious for a moment, this is obviously quite a bit more than a practical joke – hacking in any form can have innumerable consequences… so I don’t want anyone to think we’re advocating this or doing anything more than seeing the funny side!

The hardware flaw in question is due to the fact that the toilet is commanded via Bluetooth from the app, the pin code for which is hardwired to 0000.  Trustwave, who have managed (no idea how) to keep the toilet humour levels down, have created a report on the flaw, so if you’re interested read more here.

As our IT security partner Sophos has pointed out, hardwiring passcodes is a big no no.  Having something hardwired means that you personally can’t change it, and that means that any person with the My Satis app could control any Satis toilet.

Also, having the code as ‘0000’ is about as clever as leaving your keys in the door, hoping that any would-be burglar would simply be fooled by your attempt at reverse psychology.

Sophos have advised any ‘My Satis’ users to check their water bills regularly to scan for any ‘unauthorised transactions’ and not to let their friends borrow their phone.

In the meantime, if you have seen any examples of digital age practical jokes, then I’d be very interested to hear about them!