Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacking Hotels 101

Posted by timothy on from the room-service-to-room-mumble-mumble dept.

romka1 writes "Wired has an interesting interview with Adam Laurie, chief security officer of the London security and networking firm ALD. Laurie was able, using laptop, tv tuner and an infrared port to access premium content, billing information of all the rooms in the hotel, watch how other guests access their emails and access desktop of a backend computer clicking icons on the desktop and launching applications."

9 of 224 comments (clear)

  1. ya by Heem · · Score: 4, Interesting

    probably because most of the passwords were

    "password"

    "(name of hotel)"

    etc.

    --
    Don't Tread on Me
    1. Re:ya by double-oh+three · · Score: 2, Interesting

      If you're typing in the HTML formatted comment box, remember that (take away the _) does the same work as an enter key.

      I'll post my comment from Fark below:

      This isn't that new, as I heard a presentation on it at Schmoo Con in DC earlier this year. The blurb about the presentation reproduced below from this page.


      "Old Skewl Hacking: Infra Red - MMIrDA (Major Malfunction's Infra Red Discovery Application)" Major Malfunction

      Major Malfunction spends a lot of time travelling. Consequently he spends a lot of time in Hotels. Hotels have Pay-Per-View. Hotels have infra-red remote controlled TVs. And so, to while away the hours, MMIrDA was born...

      Infra Red is all around us. Most of us will use an Infra Red controller on more or less a daily basis, to change the TV channel, or open a car or garage door, but how often have you thought about how it actually works? This talk will describe not only how to analyse the signals being sent by your remote, but also how to use that information to find hidden commands and reveal functions you didn't even know your systems had. You will learn how to brute force garage doors, car doors, hotel pay-per-view TV systems, take over LED signs, vending machines and even control alarm systems, using cheap or home made devices and free software.

      DEFCON Goon since DC5. White Hat hacker since the late 70s. Co-founder of InterFACE, one of the earliest Internet streaming pirate radio stations (1995).


       /got into Schmoo for free
      //no didn't sneak in
      ///free passes for DC2600 members -- hope they do it again

      --
      "For years, I struggled with reality... but I'm happy to say I finally won out over it." -- Elwood P. Dowd
    2. Re:ya by Fishead · · Score: 2, Interesting

      I stayed at a Rainbow Hotel in Oslo last month, and the internet was a nuissance. The largest time card I could buy was 24hours, and cost the same as a whole month of internet at home. The access cards were scratch off name and password with ~ 8 random characters for each.

      Rome was more reasonably priced (and only a one time purchase for my entire stay) but they had a nasty habit of shutting down my connection when I was Idle. That meant that at the end of every long Gmail I typed, I would have to reset my connection before I could complete the send. My solution to that was to just get the biggest Linux ISO I could find, and start downloading. Them trying to be frugal on bandwidth ticked me off so much that I used 50 times the bandwidth I would have if they had just left me connected.

      A hotel I stayed at in Connecticut advertised internet for the length of my stay, just 3 dollars. It was great, they gave me a password, but I didn't even need it. When checkout time came, I had to tell them that I used the internet or they wouldn't have billed me.

  2. Most Hotel TV are locked though right? by bogie · · Score: 2, Interesting

    I've not looked at the TVs in every hotel I've ever stayed at, but when I have the cable going to the TV was locked and you couldn't unscrew it if you wanted to.

    Still, this makes me want to pick up a USB tv tuner for next time I travel. ;)

    "Additionally, he could use hidden codes that transmitted from the remote-control device to the TV through infrared to control functions in the system...Laurie automated the process by using a program he wrote that analyzed and mapped all the possible codes in 35 minutes to see which ones were relevant for the system he was trying to crack. Laurie doesn't plan to release the program."

    Booooo, release the code!

    --
    If you wanna get rich, you know that payback is a bitch
  3. My theory... by antdude · · Score: 2, Interesting

    Maybe /. staff doesn't want us to be talking about DVD ripping with softwares?

    It would had been nice if /. staff posted a comment why no comments are allowed.

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  4. Could that be right? by FrenchSilk · · Score: 2, Interesting

    Plugging the TV into the tuner, which is the size of a laptop power pack, and the tuner into his laptop, Laurie is able to use his laptop to pick up content through hotel TVs that the backend system is broadcasting but not currently displaying on the TV. Wouldn't he plug the cable, not the TV, into the tuner? Or maybe he split the cable. It would surprise me to find out that hotel TVs have some form of signal out. For what reason?

  5. Some other (more useful) comments. by Randseed · · Score: 5, Interesting
    For what it's worth, I do the same thing sometimes when I'm stuck in traffic at this particular intersection in front of a hotel that provides free 802.11b to their guests. I haven't sniffed the traffic because I'm never there long enough and I don't care either, but I have no doubt that were I to do so I'd get all sorts of juicy cleartext passwords, usernames, network information, and God only knows what else. Oh, and by the way, it also works at my university, which is a major academic institution.

    This is because in the interests of usability, these systems do not use WEP. In the case of the university, their security consists of not honoring DHCP requests if the system doesn't know your MAC, and hiding the ESSID. Again, no WEP. I have sat in conferences and watched people checking their email. (That's also good for, how shall we say, 'social intelligence.')

    The bottom line is, and always will be, that people need to pay attention to how the technology they use works. If they don't know, then it is to a certain extent their own problem.

    To combat this, all my wireless systems, including the ones I use at home, use a VPN to connect to my home router, and then the traffic goes out from there. The VPN uses a cryptographic key for authentication, not a password, and all traffic except for DHCP requests go over it. The best someone can really accomplish at the network level is to bump me off the network, at which point the VPN falls over too, and no data is compromised. The system at home also uses WEP, and requires that all machines connecting over wireless use a VPN to get routed from the router to, well, anywhere, even the LAN.

    "But what about after the data leaves your cable modem at home?" That's a valid concern. So any data that I'm really concerned about is encrypted going out of there too. The catch is that, of course, I can't do that all the time, and it could still give someone a lot of intelligence by monitoring the traffic. At that point, though, I have a legitimate beef with the cable company, just as users who plug their computer into a hotel ethernet port (not wireless) have a beef with the hotel if someone in the adjacent room sniffs their traffic.

    The sad reality is that most people have absolutely no data security at all. Often times, they give themselves the illusion of security by doing something like using some snake-oil crypto product on their Windows machine, which is still clearly open to a number of software-based attacks. And, of course, if you compromise the hardware, nothing is going to save your ass.

    Sitting at home, I see six wireless networks. One of them is mine. Four of them don't have any indication of whose they are, so they get a bit of security through obscurity in terms of someone trying to attack them directly. Nevertheless, three of the four are insecure, and the fourth uses only WEP. Of those three unsecured networks, they're broadcasting all sorts of crap in the clear, and two of the three are ridden with spyware and viruses to the point that I can tell remotely using only passive means.

    The last guy got interesting. He removed the confusion about whose network was whose, at least with regard to his, by putting his last name in the SSID. The network is wide open.

  6. I've setup a 120 room hotel by maxrate · · Score: 2, Interesting
    I've setup a 120 room hotel, we wired the joint and installed switches on every floor.

    At the moment, we have a pretty crumby system - a d-link router - yes I know why this is bad, but we're changing that (we knew about this to begin with)

    My question to the slashdot crowd is, what can you think of that we can do to stop a guest from running their own DHCP server? (screwing the network)

  7. Article leaves out some details by aolsheepdog · · Score: 2, Interesting

    I have a *friend* who travels a lot who has been doing this with the TVs for years.

    Although most hotels lock the F-connector on the outside of the wall jack, remove the two screws for the wall jack and you can access the F-connector on the inside. I don't know if the systems are checking for missing TVs yet, but as a precaution a decent splitter should be used so the TV doesn't go missing when you connect your laptop. Someday they will wise-up and check. Then an engineer will not on your door to see if there is a problem with your TV.

    Everything comes back from the headend via a TV channel. The system just allocates the channels as they are needed. The problem with this is you can only have about 80 people using the premium content at one time (because some channels are used for the regular content). Of course I here there are rarely more than 10-15 using the system simultaneously. If you scan the TV channels at 4am, you probably won't find much activity.

    This leads me to the other point which is overlooked in the article. Yes, you can see porn and PPV movies but only if somebody ordered it. If it hasn't been ordered, then it won't be shown. Now for porn, stumbling across the active channel in the middle of the movie isn't too bad. But if it's a PPV movie that you haven't seen, you just have to get lucky. Obviously the larger the hotel and the more guests, the better your chances of finding what you want.