Luxury toilet operated via smartphone app vulnerable to hackers

A smartphone-controlled luxury toilet is open to cyber attack, security firm Trustwave has warned.

The Satis toilet is built by Japanese firm Lixil and retails for up to $5,686 (£3,821).

Functions including automatic flushing, bidet spray, raising and lowering of the lid, music and fragrance release can be controlled by an Android application called "My Satis" via Bluetooth.

However, a security flaw means that any of the toilets can be controlled by any smartphone that has the app installed.

The PIN to pair the toilet with the app is 0000 for every model, and is hard coded so it cannot be changed or reset by the owner, meaning nothing can be done to prevent anyone accessing the functions.

"Any person using the "My Satis" application can control any Satis toilet. An attacker could simply download the "My Satis" application and use it to cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner," explains the Trustwave advisory.

"Attackers could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user."

The limited range of Bluetooth mean the hacker would have to be quite close to the toilet in order to activate the features, so a user's biggest worry is probably practical jokes from friends or family.

"It's easy to see how a practical joker might be able to trick his neighbours into thinking his toilet is possessed as it squirts water and blows warm air unexpectedly on their intended victim, but it's hard to imagine how serious hardened cybercriminals would be interested in this security hole," security expert Graham Cluley told the BBC.