Skip to main content
  1. Home
  2. Smart Home
  3. News

Internet-connected hot tubs can be hacked and controlled remotely

Add as a preferred source on Google
Lars Plougmann/Flickr

Hot tubs are supposed to be a great way to relax, but that’s a little harder to do when you aren’t in control of them. Thousands of hot tubs running a system made by Balboa Water Group have exploits that can be hacked to allow malicious actors to remotely control them, according to a recent report from the BBC.

The issue, discovered by security researchers at the U.K.-based security firm Pen Test Partners, stems from lapses in a mobile app that enables hot tub owners to control their tubs from their phone. Attackers could theoretically gather information found on public resources to find homes with the vulnerable hot tubs and target them. The malicious actors could use third-party databases to find the GPS location data of a given tub and hijack it. There is no authentication that would prevent the attackers from getting into the system.

Recommended Videos

Once the attackers have picked their target, they can assume control of the tub remotely. That means they can make the temperature hotter or colder, take over the pumps and jets, and change the lights. The entire attack can be carried out over a smartphone or laptop.

According to the BBC, Balboa Water Group was caught off guard by the report and said it was “surprised” to learn of the vulnerability. The mobile app that gives users the ability to remotely control their hot tub has been available for about five years and users have never reported any issues or hacking attempts, according to the company.

Balboa Water Group is in the process of addressing the security flaw and plans to have it patched up by the end of February — which is a long time to leave a known flaw unpatched and available to exploit. The company is working with its customers to set up individual usernames and passwords so they can secure their apps. It previously opted not to have users set up personal accounts because it wanted to simplify the activation process. While that might have made things more convenient, the decision also exposed users to having their personal time in the hot tub interrupted by hackers.

AJ Dellinger
AJ Dellinger is a freelance reporter from Madison, Wisconsin with an affinity for all things tech. He has been published by…
GEME Terra 2 review: Can an indoor composter actually reduce kitchen waste?
The GEME Terra 2 makes composting accessible and genuinely rewarding, but you must deal with one crucial indoor woe.
Geme Terra 2 composter

View at Geme

For households trying to reduce food waste, indoor composters promise something appealing: the ability to turn kitchen scraps into usable compost without maintaining a traditional outdoor composter.

Read more
I dug these last-hour Prime Day smart home, laptop, and accessory deals that are irresistible
Deals up to 60% off, a few hours left, and no reason to wait any longer.
Electronics, Phone, Speaker

Amazon's Prime Day 2026 sale is in its final hours, giving you your last chance to get your hands on the best smart home, security, tablet, laptop, and accessory deals. I've pulled together the picks that are still live, still deeply discounted, and still worth buying before the sale ends tonight or until the stock lasts.

Best Amazon Prime Day deals on smart home devices

Read more
The Google Home Speaker is impressive, until you look at the power cable
Sphere, Electronics, Speaker

The Google Home Speaker hasn't even started shipping yet, but one lucky buyer managed to grab one early and share their first impressions. While most of the news is positive, there's one detail that won't sit well with anyone who cares about repairability.

For the unaware, Google announced the speaker back in October 2025, and pre-orders went live last week. Priced at $99, it's the company's first new speaker in six years, so people have plenty of questions. 

Read more