Slashdot Mirror
Hacking Hotels 101
romka1 writes "Wired has an interesting interview with Adam Laurie, chief security officer of the London security and networking firm ALD. Laurie was able, using laptop, tv tuner and an infrared port to access premium content, billing information of all the rooms in the hotel, watch how other guests access their emails and access desktop of a backend computer clicking icons on the desktop and launching applications."
read the article. he says most systems don't even use passwords
Usually, it's just the room number :)
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
Actually, I just read the article on this on FARK and the process the guy is describing is kind of fascinating. Basically, since the TV is controlled by the IR signal from the remote, almost anything the hotel has accessible, is accessible through IR (and the program this guy wrote). Up to and including, appearantly some hotels mini-bars are controllable by IR remote (locking due to local prohibitions, or so the maid can restock them, etc). It's actually this sort of hacking, not PC hacking that I think has the possibility of causing the largest backlash in coming years. As more and more things become complicated pieces of electronic equipment. (Ferinstance: Hotel mini-bars) and computers become more powerful and portable, it's going to become more and more possible to interface with all sorts of equipment. Stealing some guys tax records off his hard drive is bad, but in most cases people just don't viscerally respond to it. Identity theft, no matter how terrifying credit card companies try to make it, just doesn't strike as much of a cord with people. But being able to walk away with free booze, that's something. Or let's say wireless becomes more prevalent in small scale communications. In some buildings, say a grocery store, or school, there's probably going to come a point where it will be cheaper to rig up some form of wireless PA system, rather than running new wires or whatever. With the proper effort, any standardized communication system can be hijacked. Now, admittedly, if it was me, I'd be in the grocery store whispering, "Snausages!" in varying tones of voice over the PA, but I can see all sorts of ways things could go. Suffice to say, hacking computers to most people is still just so much techno-magic. When it has a physical effect that can be directly observed, that will make it something much different. (another possible example, let's say they go to RFID tagging cars, and priority tag police cruisers or other emergency vehicles for getting through traffic lights and whatnot, well, there's another easily imagined opportunity.) Sorry, I'm babbling. In short, when computers are illegal, on criminals will have computers. Okay, I'm done.
This is a classic case of "security through obscurity". The hotels (or rather, their vendors) are relying on the fact that nobody knows how their system works to keep it secure. They just broadcast everything and figure, "Hey, you need one of our special remotes to do anything, so we're safe".
I think it is important to blame the vendors as well as the hotels. Two days ago I got a sales presentation of a document management system called "DocStar". The sales weasel kept going on and on about security, repeating himself with how it has security "at the level of individual pixels". But whenever I tried to pin him down about how that system is actually secure, he had nothing. As near as I can tell, their whole pitch is "It's secure because we say it is". Right. I'm supposed to take his word for it, when vendors demonstrate over and over, with cases like this, that their security usually amounts to "We hope nobody will ever try to break in".
Gag.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
I was in a hotel a few months ago, plugged into the free ethernet (for which I was very thankful), checking my e-mail, editing my documents on a remote server, chatting on IRC and browsing work sites (all over SSH, TLS, and SSL). My work consists amongst other things of testing Web browsers, and at one point I had to determine why one browser was not handling some HTTP headers correctly, so I fired up tcpdump to check exactly what headers were going over the wire.
..." and so on, with full credit card numbers, addresses, names, room numbers, lengths of stays, the works.
What I saw scared the heck out of me. SQL queries from the hotel reservation system, including things like the results of "SELECT * FROM RESERVATIONS" and "INSERT INTO ROOMS
Not only was it all unencrypted, but they were broadcasting all that information to every ethernet port in every room. You can just imagine the potential for identity theft and burgalary networks ("he'll be gone til tuesday!"). And I wouldn't be surprised if you could actually just send out your own SQL queries if you wanted to ("I'll be staying for another week, honest!").
Premium channels are generally movie/porn/sports channels.
When you are at dinner or in a bar/pub and order something other than a well cocktail you are getting a premium (granted this actually has a graduated scale). BTW, never drink well, that crap will kill you.
When you fill your car up with "Premium" it doesn't me you get it free
This is old news and was discussed at ShmooCon in February 2005:
http://www.shmoocon.org/2005/program.html#major
This is very easy to do. Cracking 802.11 broadcasting networks is really easy. There are websites that explain step by step how to do it. There is a coffee shop in Seattle on 15th Ave where I live that is always hoping. Mostly laptops, it looks like a friggin office. BUT friends found a flaw in the security and sniff out everything. We actually had a party in which they read emails (very private) they had transfered right off people's hard drives. Some even scoured webmail accounts after getting usernames. Some people have the most obvious password! More security is needed!!
My first day of work in a hotel, I see a guest come in with a VCR tucked in under his arm. I ask him if he's planning on watching some movies. He says no, he's planning on recording some. He tells me all he has to do is plug in his VCR, tune around until he finds someone watching a movie, then hit record.
Over the years, I've learned a lot more. Basically, the world of hotel entertainment is run by two companies, LodgeNet and OnCommand. Both use almost identical technology. The way it basically works if hotels buy commercial television sets that have a port on the back to control the tuner. An RF interface plugs into this port and allows signals to be sent over the coaxial cable to a server and receive signals from the server.
Let me explain how it works. The hotel puts all the regular television (called free-to-guest in the lingo) on a certain range of channels. The commercial set is then programmed to only allow tuning from the remote in that range. If the guest tried to go higher than say 30, it wraps back to say 2. Entering number from the remote higher than the range won't work either.
Now the remote has some special buttons. Let's say a guest hits the main menu button. The IR receiver on the commercial TV passes the signal to the RF unit, which sends it over the coax to the server. The server starts up up a video stream and outputs it through a video card to a modulator. The server tells the commercial TV "tune to channel 43". Since the guest can't normally tune to this channel, they only way he sees it is when the server tells his TV to tune there. The guest can now interact with the server and only he sees what he is doing because he's the only one the server lets turn to channel 43.
For hotel info, movies, this is how the guest gets the content. If it's a web browser session, it's the same thing only using essentially a terminal server session.
Now, the problem is there's only about a handful of commercial TV sets made. It's not terribly difficult to obtain or borrow a master remote from someone. You can copy the button commands into your PDA or universal remote, then next time you are at a hotel with that brand of television, just tune around until you find something interesting to watch. Or, bring your own tuner like the guy with the VCR or the article talks about.
Some ways hotels are dealing with this is locking off the connection so you can't just plug in a tuner. You can cut the cable, but I wouldn't recommend it if you don't want to be charged for the repair. But the master remotes are still out there and still universally known.
Smaller or older hotels that have regular televisions use a little IR dongle to control the television instead of card that plugs in the back, but it's the same principle.
I've always wondered why warez groups don't pick up on this as a way to get first-run movies. The hospitality window is about two months after a movie hits theaters (just after home pay-per-view but before DVD). The source is either DVD or digitial files downloaded directly to the server, so the quality should be excellent. Just bring an firewire capture card with your laptop and you can release "screener" quality with virtually no risk.
Not that I would ever do something like that of course...just saying...
- JoeShmoe
-- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
I was happy to find an ethernet port in my room at a hotel I was staying at some time ago, I plugged in my laptop and got all setup via DHCP. I checked my mail, checked slashdot, etc.. got bored, decided to play with nmap...
I found some laptop (I assume) with IIS running on it, and some ugly website for a home siding and windowing company on it, I read it, wasn't interested.. But still, it seems that some people don't realize they're entering a fairly high speed and insecure network when plugging into most hotel setups.
A few other helpful tips: You can use any old generic cable tv converter box to watch. I would recommend the Scientific Atlanta 8511 or similar. Its the size of a small clock radio and works with almost all universal remotes.
Also seach ebay for 'coax removal tool' if you need to get around those pesky security sleeves.
One interesting tidbit about my 8511 converter box. At first it did not work with any remote control. I took it apart and found a small jumper wire running from the input pin of the IR decoder to ground. Effectively disabling the IR remote control of the box. Upon removing the jumper, the remote worked fine. And it looked like a factory job too, so apparently some bastard cable co's ordered their boxes intentionally crippled.
you can pull the card out of the back of the tv on lodgenet systems...move the jump 1 pin over and auto program the tv and watch whatever anyone else is watching...including internet
Of course, I only use my equipment and software to make legitimate backups of the DVDs I have purchased. That said, I use the following:
Hardware: NEC 3520A dual-layer burner. It has all kinds of great firmware hacks available that make it region free, enable bit-setting (allows your DVD+R media to self-identify as DVD-ROM so it plays on more DVD players), and disables Rip-Lock so you can copy the data off more quickly (rip-lock limits it to about 2 x speed when copying a DVD-ROM)
Software:
DVDShrink - it allows you to shrink a dual-layer disk (about 9GB) to a single-layer (4.5GB) with compression. It also allows you to replace video pieces with still-images. This can reduce the amount of compression - for example, my Usual Suspsects has a Widescreen and Fullscreen version. I replaced the fullscreen version with a still-image and I didn't have to compress the widescreen at all to fit a single-layer disk. It also removes PUO (prohibted user options - you know, the "you can't do that with this disk"), and removes region coding. That way, you can watch the DVDs you bought on your trip to Europe (though you still have to reconvert PAL to NTSC).
DVD Decrypter - this program is more robust than DVD Shrink, and provides many more options for manipulating your drive and the output. When DVD Shrink can't handle something, I use DVD Decryptor to copy the disk to my harddrive, then use DVDShrink to make it fit on a single layer disk.
Note that even if your drive is region free, windows will keep track of your changes on its own. If it's region free, it will assing a default region and let you change it once. This is in the registry and is independent of the drive's settings itself. I accidentally let my drive get set to region-2. Even after flashing the original firmware back on it, I could not get it off region-2. Only after deleting all references in the registry to the drive (while the drive was removed), was I able to get windows to return to region-1.