Manage Access to iAqualink

[matthanna]

We just bought a house with a pool with an iAqualink setup, and the builder walked me through connecting to it today. It appears that the "token" to associate the pool with my account is simply the fixed serial number of the iAqualink Web Connect Device.
So, that means the former owners of the house - or really anyone who walks past the equipment pad and notes down the serial number - could connect to and control my pool, correct?
I'm not really that worried about someone taking over the pool in the future or the former owners messing with it, but it does seem prudent to at least do a reset now that we've moved in to ensure we're the only ones with access. To be clear, I setup my own iAqualink account, but it seems that anyone with the ABC-123-XYZ-456 serial number from the physical antenna puck could associate the pool to their account and control it.

Am I understanding this correctly? Does anyone know of a solution for this?

Thanks!

 

[generessler]

Afaik, you are 100% correct. Only the serial is needed to control the pool. Once someone knows it, they can create new accounts linked to the pool all day. There appears to be no way to prevent it. This is one of many reasons Jandy/Fluidra needs a major overhaul of their software.

The security mechanism is - according to the Jandy web site - that you can't register unless you have access to the same network the iAqualink device is on:

How about Security? Can I remove someone's access to my pool?
The homeowner has full control of who has access to the iAquaLink. While connected to the home network (the same network the iAquaLink is connected to), you can remove your pool from other user accounts. Your iAquaLink device is as secure as the network it is connected to. Reasonable steps can be taken to secure your home network - such as changing the SSID (the network name), not broadcasting the SSID, or changing the network password (sometimes referred to as passphrase or key). Because all routers are slightly different, detailed instructions on how to do this may be found in the owner's manual for the router, or by contacting the router manufacturer's customer or technical support department.

I can't verify this works from where I am now. I do have two accounts that register my pool, and I can't see one from the other. So I don't see how you'd remove accounts of others (like previous owners). Jandy documents don't seem to show this.

 

[matthanna]

Thanks much for the reply. I see that now on their website; I'll look around for it again in my app / web interface and maybe email them if I can't find it.

 

[generessler]

Thanks much for the reply. I see that now on their website; I'll look around for it again in my app / web interface and maybe email them if I can't find it.

Cool. I did verify that you must create the pool registration from the same LAN where that the iAqualink runs in. That's good. As long as you have a strong password and up-to-date encryption on your home router, new linkages to the pool are restricted.

I also emailed Fluidra support asking how to remove an unwanted account from your pool's registration. No reply yet. I do hazily remember that when we bought our house in 2020, I created an iAqualink account, registered the pool, and at that time did see information about the former owners in the manager UI, which I was able to delete. I can't remember details. But now, my two accounts can't see each other. Not sure what's going on.

 

[generessler]

I got a response to my question about removing unwanted accounts from a given pool.

"We can remove the device from other users if requested by the homeowner. There is not a way to remove other accounts using the iAqualink application at this time."

So their documentation is incorrect.

I'm an IT guy. Revocation of access is a problem when adversaries become involved. Think landlord/tenant, divorcing couple, etc. My guess is their app once had it, but they removed it due to customer relations or legal problems.

 

[matthanna]

Awesome - thank for the follow-up and update! And that makes sense.

I'll reach out to them to clean up our account.

 

[matthanna]

Well, that was so easy it's concerning. Fluidra didn't really verify my identity at all; they just let me kick everyone else off of the pool. It's the result I wanted, but it feels a little odd that my smart outlet controlling a lightbulb has multi-factor authentication but taking over the control system to my 21k gallon pool is trivial!