Slashdot Mirror
Hacking Hotels 101
romka1 writes "Wired has an interesting interview with Adam Laurie, chief security officer of the London security and networking firm ALD. Laurie was able, using laptop, tv tuner and an infrared port to access premium content, billing information of all the rooms in the hotel, watch how other guests access their emails and access desktop of a backend computer clicking icons on the desktop and launching applications."
probably because most of the passwords were
"password"
"(name of hotel)"
etc.
Don't Tread on Me
Why is it okay for "agencies" to go and find vulnerabilities in public networks, but as soon as a high school student finds a hole, tells someone, then no onw does anything, he has to exploit it to get noticed, then charged with some stupid "hacker crime"?
"I cannot think of any need in childhood as strong as the need for a father's protection." -- Sigmund Freud
I do that, and I go to jail for 5 years. He does it and he's on Slashdot!
Well where else can you put a comment about comments being blocked?
Anyone explain why the # DVD's ripped poll has been locked?
Anyway,
-H.
Aide-toi, le Ciel t'aidera - Jeanne D'Arc.
He did it for free porn!!
This is a classic case of "security through obscurity". The hotels (or rather, their vendors) are relying on the fact that nobody knows how their system works to keep it secure. They just broadcast everything and figure, "Hey, you need one of our special remotes to do anything, so we're safe".
I think it is important to blame the vendors as well as the hotels. Two days ago I got a sales presentation of a document management system called "DocStar". The sales weasel kept going on and on about security, repeating himself with how it has security "at the level of individual pixels". But whenever I tried to pin him down about how that system is actually secure, he had nothing. As near as I can tell, their whole pitch is "It's secure because we say it is". Right. I'm supposed to take his word for it, when vendors demonstrate over and over, with cases like this, that their security usually amounts to "We hope nobody will ever try to break in".
Gag.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
I was in a hotel a few months ago, plugged into the free ethernet (for which I was very thankful), checking my e-mail, editing my documents on a remote server, chatting on IRC and browsing work sites (all over SSH, TLS, and SSL). My work consists amongst other things of testing Web browsers, and at one point I had to determine why one browser was not handling some HTTP headers correctly, so I fired up tcpdump to check exactly what headers were going over the wire.
..." and so on, with full credit card numbers, addresses, names, room numbers, lengths of stays, the works.
What I saw scared the heck out of me. SQL queries from the hotel reservation system, including things like the results of "SELECT * FROM RESERVATIONS" and "INSERT INTO ROOMS
Not only was it all unencrypted, but they were broadcasting all that information to every ethernet port in every room. You can just imagine the potential for identity theft and burgalary networks ("he'll be gone til tuesday!"). And I wouldn't be surprised if you could actually just send out your own SQL queries if you wanted to ("I'll be staying for another week, honest!").
Premium channels are generally movie/porn/sports channels.
When you are at dinner or in a bar/pub and order something other than a well cocktail you are getting a premium (granted this actually has a graduated scale). BTW, never drink well, that crap will kill you.
When you fill your car up with "Premium" it doesn't me you get it free
I've not looked at the TVs in every hotel I've ever stayed at, but when I have the cable going to the TV was locked and you couldn't unscrew it if you wanted to.
;)
Still, this makes me want to pick up a USB tv tuner for next time I travel.
"Additionally, he could use hidden codes that transmitted from the remote-control device to the TV through infrared to control functions in the system...Laurie automated the process by using a program he wrote that analyzed and mapped all the possible codes in 35 minutes to see which ones were relevant for the system he was trying to crack. Laurie doesn't plan to release the program."
Booooo, release the code!
If you wanna get rich, you know that payback is a bitch
Maybe /. staff doesn't want us to be talking about DVD ripping with softwares?
/. staff posted a comment why no comments are allowed.
It would had been nice if
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Plugging the TV into the tuner, which is the size of a laptop power pack, and the tuner into his laptop, Laurie is able to use his laptop to pick up content through hotel TVs that the backend system is broadcasting but not currently displaying on the TV. Wouldn't he plug the cable, not the TV, into the tuner? Or maybe he split the cable. It would surprise me to find out that hotel TVs have some form of signal out. For what reason?
This is because in the interests of usability, these systems do not use WEP. In the case of the university, their security consists of not honoring DHCP requests if the system doesn't know your MAC, and hiding the ESSID. Again, no WEP. I have sat in conferences and watched people checking their email. (That's also good for, how shall we say, 'social intelligence.')
The bottom line is, and always will be, that people need to pay attention to how the technology they use works. If they don't know, then it is to a certain extent their own problem.
To combat this, all my wireless systems, including the ones I use at home, use a VPN to connect to my home router, and then the traffic goes out from there. The VPN uses a cryptographic key for authentication, not a password, and all traffic except for DHCP requests go over it. The best someone can really accomplish at the network level is to bump me off the network, at which point the VPN falls over too, and no data is compromised. The system at home also uses WEP, and requires that all machines connecting over wireless use a VPN to get routed from the router to, well, anywhere, even the LAN.
"But what about after the data leaves your cable modem at home?" That's a valid concern. So any data that I'm really concerned about is encrypted going out of there too. The catch is that, of course, I can't do that all the time, and it could still give someone a lot of intelligence by monitoring the traffic. At that point, though, I have a legitimate beef with the cable company, just as users who plug their computer into a hotel ethernet port (not wireless) have a beef with the hotel if someone in the adjacent room sniffs their traffic.
The sad reality is that most people have absolutely no data security at all. Often times, they give themselves the illusion of security by doing something like using some snake-oil crypto product on their Windows machine, which is still clearly open to a number of software-based attacks. And, of course, if you compromise the hardware, nothing is going to save your ass.
Sitting at home, I see six wireless networks. One of them is mine. Four of them don't have any indication of whose they are, so they get a bit of security through obscurity in terms of someone trying to attack them directly. Nevertheless, three of the four are insecure, and the fourth uses only WEP. Of those three unsecured networks, they're broadcasting all sorts of crap in the clear, and two of the three are ridden with spyware and viruses to the point that I can tell remotely using only passive means.
The last guy got interesting. He removed the confusion about whose network was whose, at least with regard to his, by putting his last name in the SSID. The network is wide open.
This is very easy to do. Cracking 802.11 broadcasting networks is really easy. There are websites that explain step by step how to do it. There is a coffee shop in Seattle on 15th Ave where I live that is always hoping. Mostly laptops, it looks like a friggin office. BUT friends found a flaw in the security and sniff out everything. We actually had a party in which they read emails (very private) they had transfered right off people's hard drives. Some even scoured webmail accounts after getting usernames. Some people have the most obvious password! More security is needed!!
My first day of work in a hotel, I see a guest come in with a VCR tucked in under his arm. I ask him if he's planning on watching some movies. He says no, he's planning on recording some. He tells me all he has to do is plug in his VCR, tune around until he finds someone watching a movie, then hit record.
Over the years, I've learned a lot more. Basically, the world of hotel entertainment is run by two companies, LodgeNet and OnCommand. Both use almost identical technology. The way it basically works if hotels buy commercial television sets that have a port on the back to control the tuner. An RF interface plugs into this port and allows signals to be sent over the coaxial cable to a server and receive signals from the server.
Let me explain how it works. The hotel puts all the regular television (called free-to-guest in the lingo) on a certain range of channels. The commercial set is then programmed to only allow tuning from the remote in that range. If the guest tried to go higher than say 30, it wraps back to say 2. Entering number from the remote higher than the range won't work either.
Now the remote has some special buttons. Let's say a guest hits the main menu button. The IR receiver on the commercial TV passes the signal to the RF unit, which sends it over the coax to the server. The server starts up up a video stream and outputs it through a video card to a modulator. The server tells the commercial TV "tune to channel 43". Since the guest can't normally tune to this channel, they only way he sees it is when the server tells his TV to tune there. The guest can now interact with the server and only he sees what he is doing because he's the only one the server lets turn to channel 43.
For hotel info, movies, this is how the guest gets the content. If it's a web browser session, it's the same thing only using essentially a terminal server session.
Now, the problem is there's only about a handful of commercial TV sets made. It's not terribly difficult to obtain or borrow a master remote from someone. You can copy the button commands into your PDA or universal remote, then next time you are at a hotel with that brand of television, just tune around until you find something interesting to watch. Or, bring your own tuner like the guy with the VCR or the article talks about.
Some ways hotels are dealing with this is locking off the connection so you can't just plug in a tuner. You can cut the cable, but I wouldn't recommend it if you don't want to be charged for the repair. But the master remotes are still out there and still universally known.
Smaller or older hotels that have regular televisions use a little IR dongle to control the television instead of card that plugs in the back, but it's the same principle.
I've always wondered why warez groups don't pick up on this as a way to get first-run movies. The hospitality window is about two months after a movie hits theaters (just after home pay-per-view but before DVD). The source is either DVD or digitial files downloaded directly to the server, so the quality should be excellent. Just bring an firewire capture card with your laptop and you can release "screener" quality with virtually no risk.
Not that I would ever do something like that of course...just saying...
- JoeShmoe
-- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
At the moment, we have a pretty crumby system - a d-link router - yes I know why this is bad, but we're changing that (we knew about this to begin with)
My question to the slashdot crowd is, what can you think of that we can do to stop a guest from running their own DHCP server? (screwing the network)
I was happy to find an ethernet port in my room at a hotel I was staying at some time ago, I plugged in my laptop and got all setup via DHCP. I checked my mail, checked slashdot, etc.. got bored, decided to play with nmap...
I found some laptop (I assume) with IIS running on it, and some ugly website for a home siding and windowing company on it, I read it, wasn't interested.. But still, it seems that some people don't realize they're entering a fairly high speed and insecure network when plugging into most hotel setups.
A few other helpful tips: You can use any old generic cable tv converter box to watch. I would recommend the Scientific Atlanta 8511 or similar. Its the size of a small clock radio and works with almost all universal remotes.
Also seach ebay for 'coax removal tool' if you need to get around those pesky security sleeves.
One interesting tidbit about my 8511 converter box. At first it did not work with any remote control. I took it apart and found a small jumper wire running from the input pin of the IR decoder to ground. Effectively disabling the IR remote control of the box. Upon removing the jumper, the remote worked fine. And it looked like a factory job too, so apparently some bastard cable co's ordered their boxes intentionally crippled.
I'm willing to bet that all of these channels are using standard cable frequencies (most which fall in
the broadcast TV UHF range, albiet with different frequencies), which can be picked up with a cheap $15 B&W portable TV with a slide tuner.
Are they really too cheap to just use a regular network and WEB-TV-like units in the rooms?
Hmmm... those cable channels fall into the high VHF range. There are some channels used between 6 and 7 , but I can't remember off the top of my head. I.e. cable channel 14 is the same distance from TV 13 is from TV 12, but UHF 14 IIRC VHF 13 is 210-216Mhz CATV is 14(sic) 216-222Mhz (also used in marine radio) and UHF 14 is 470-476Mhz... I stand corrected... channel 13 + 6mhz = catv 23 there and about. My memory is fuzzy as those first generation digital dial but manual analog tuners allowed you to access a slew stuff before cable ready TVs were popular. You do have CATV channels 95-99 91.25-119.775mhz smack dab between channels 6 and 7.. which just so happen to be used by FM radio, which would explain why sometimes you could get the playboy channel on your radio.
But that's not the point, or rather the whole frequency spectrium being totally screwy isn't the point. Why I bothered with that whole paragraph when you were talking about those cheep slide tuner TVs that can access all sorts of weird stuff is beyond me.
The point is this... Yes, they really are too cheap. Wouldn't you be? Why go with any sort of encryption on a system which for the most part is protected by physical security... lock and key. Got a key, your spending money. If you spend more money to watch a movie, hotel makes a buck, the provide makes bucks, everyone is happy. Cable feed, monitors broadcast via radio waves from a centralized location in a room without windows deep in employee only zone. If some jack ass steals a TV... well they lost a $800 TV. If some jackass steals a 22 inch network termianl... well they just lost something worth a few grand. Not to speak of support issues, damage, power surges.
While *i'd* prefer the webTv experence, point and click movies without issues of analog signal degrading by the rats in the walls... I respect the fact that traditional TV from a centeralized broadcast location is really the way to go. Hell even for a net terminal i'd still go with a dumb monitor with keyboard relay.
There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
you can pull the card out of the back of the tv on lodgenet systems...move the jump 1 pin over and auto program the tv and watch whatever anyone else is watching...including internet
I have a *friend* who travels a lot who has been doing this with the TVs for years.
Although most hotels lock the F-connector on the outside of the wall jack, remove the two screws for the wall jack and you can access the F-connector on the inside. I don't know if the systems are checking for missing TVs yet, but as a precaution a decent splitter should be used so the TV doesn't go missing when you connect your laptop. Someday they will wise-up and check. Then an engineer will not on your door to see if there is a problem with your TV.
Everything comes back from the headend via a TV channel. The system just allocates the channels as they are needed. The problem with this is you can only have about 80 people using the premium content at one time (because some channels are used for the regular content). Of course I here there are rarely more than 10-15 using the system simultaneously. If you scan the TV channels at 4am, you probably won't find much activity.
This leads me to the other point which is overlooked in the article. Yes, you can see porn and PPV movies but only if somebody ordered it. If it hasn't been ordered, then it won't be shown. Now for porn, stumbling across the active channel in the middle of the movie isn't too bad. But if it's a PPV movie that you haven't seen, you just have to get lucky. Obviously the larger the hotel and the more guests, the better your chances of finding what you want.
Of course, I only use my equipment and software to make legitimate backups of the DVDs I have purchased. That said, I use the following:
Hardware: NEC 3520A dual-layer burner. It has all kinds of great firmware hacks available that make it region free, enable bit-setting (allows your DVD+R media to self-identify as DVD-ROM so it plays on more DVD players), and disables Rip-Lock so you can copy the data off more quickly (rip-lock limits it to about 2 x speed when copying a DVD-ROM)
Software:
DVDShrink - it allows you to shrink a dual-layer disk (about 9GB) to a single-layer (4.5GB) with compression. It also allows you to replace video pieces with still-images. This can reduce the amount of compression - for example, my Usual Suspsects has a Widescreen and Fullscreen version. I replaced the fullscreen version with a still-image and I didn't have to compress the widescreen at all to fit a single-layer disk. It also removes PUO (prohibted user options - you know, the "you can't do that with this disk"), and removes region coding. That way, you can watch the DVDs you bought on your trip to Europe (though you still have to reconvert PAL to NTSC).
DVD Decrypter - this program is more robust than DVD Shrink, and provides many more options for manipulating your drive and the output. When DVD Shrink can't handle something, I use DVD Decryptor to copy the disk to my harddrive, then use DVDShrink to make it fit on a single layer disk.
Note that even if your drive is region free, windows will keep track of your changes on its own. If it's region free, it will assing a default region and let you change it once. This is in the registry and is independent of the drive's settings itself. I accidentally let my drive get set to region-2. Even after flashing the original firmware back on it, I could not get it off region-2. Only after deleting all references in the registry to the drive (while the drive was removed), was I able to get windows to return to region-1.