Toilet hackers could snoop on your poop, steal data of a “personal nature” [VIDEO]

SATIS Android appJoe Orton described the men’s room as the “last bastion of male privilege”, but a vulnerability in luxury lavatories discovered by security researchers suggests that you may not be as safe and secure in the smallest room of your house as you might have imagined.

Indeed, not only could hackers take remote control of your loo – causing it to unexpectedly flush or close the lid at inopportune moments – but they could also be snooping on your pooping.

If you aren’t of a delicate disposition, read on…

One of the pleasures of visiting Japan is to encounter the high-tech lavatories.

Sign up to our free newsletter.
Security news, advice, and tips.

Toilets in the country are often brimming with bells and whistles, allowing you not only to listen to your favourite Rolling Stones tracks while you drop the kids off at the pool, but also to adjust the seat temperature, give you an integrated bidet-style rinse, dry you with warm air, and deodorize whatever remains.

As you can see from the following promotional video for the Satis luxury toilet, the array of options can be quite bewildering to those of us who have never experienced such restroom complexity in the past.


However, there’s bad news just over the horizon.

As BBC News reports, the Satis toilet manufactured by Japanese firm Lixil has an embarrassing security problem.

The toilet, which can sell for up to $5,686 (£3,821), can be controlled by an Android app called “My Satis”.

The app allows you to perform a number of functions, communicating with the lavatory via Bluetooth. However, because the Bluetooth PIN is hardcoded to “0000”, anyone who has the app installed can send instructions to the luxury toilet, say researchers at Trustwave:

As such, any person using the “My Satis” application can control any Satis toilet. An attacker could simply download the “My Satis” application and use it to cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner.

Attackers could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user.

The good news is that this vulnerability lies in how the Android app communicates with the smart toilet over Bluetooth – which means any mischief-maker would need to be sitting within about 30 feet to hijack your loo.

Defecation diary in My Satis appSo, a practical joker in a high-rise apartment in Tokyo might be able to freak out his close neighbours by squirting water unexpectedly or slamming down the toilet seat, but it’s hard to imagine how serious hardened cybercriminals would be interested in this security hole.

Although many of the media reports have focused on the comedy elements of what a hacker could do with a hijacked loo, there is actually the opportunity for hackers to steal information as well… information of an… ahem… very personal nature.

I used Google to translate the Japanese-language description of the app:

“To record on the calendar defecation situation daily, it is possible to health care is “toilet diary”. You can see at a glance enjoyable health state of each month by recording the bowel movement. Defecation record is a simple operation to choose from on the screen shape, color, and health status.”

Quite why anyone would want to steal information like that is a question I leave for the reader to answer, but it’s clearly a gross invasion of privacy.

More and more everyday household goods are having computer technology integrated into them, as their manufacturers attempt to differentiate themselves from their bog-standard competitors with bells and whistles.

Trustwave says that it contacted the toilet manufacturer on three occasions in the last two months, to advise them of their security blunder – but has received no response.

Although this vulnerability seems largely harmless, what’s clear is that companies building household appliances need to smarten up about security rather than just racing to implement features that users may not actually need or want.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

4 comments on “Toilet hackers could snoop on your poop, steal data of a “personal nature” [VIDEO]”

  1. spryte

    As a Crohn's sufferer I can see the value of keeping a 'Diary'…

    Perhaps more targeted spam for some 'Miracle' cure is the object here for those suffering from IBD/IBS (or other digestive issues)??

  2. How do you know if you have been hacked ?

    .. go back and check the logs !

    1. Stew Green · in reply to Stew Green

      Graham isn't stopping these hackers … your jobbie ?

      1. Graham CluleyGraham Cluley · in reply to Stew Green

        It's a big job, but somebody's got to do it.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.