Hacking Hotels 101

romka1 writes "Wired has an interesting interview with Adam Laurie, chief security officer of the London security and networking firm ALD. Laurie was able, using laptop, tv tuner and an infrared port to access premium content, billing information of all the rooms in the hotel, watch how other guests access their emails and access desktop of a backend computer clicking icons on the desktop and launching applications."

ya

[Heem]

probably because most of the passwords were

"password"

"(name of hotel)"

etc.

Re:ya

[LowbrowDeluxe]

Actually, I just read the article on this on FARK and the process the guy is describing is kind of fascinating. Basically, since the TV is controlled by the IR signal from the remote, almost anything the hotel has accessible, is accessible through IR (and the program this guy wrote). Up to and including, appearantly some hotels mini-bars are controllable by IR remote (locking due to local prohibitions, or so the maid can restock them, etc). It's actually this sort of hacking, not PC hacking that I think has the possibility of causing the largest backlash in coming years. As more and more things become complicated pieces of electronic equipment. (Ferinstance: Hotel mini-bars) and computers become more powerful and portable, it's going to become more and more possible to interface with all sorts of equipment. Stealing some guys tax records off his hard drive is bad, but in most cases people just don't viscerally respond to it. Identity theft, no matter how terrifying credit card companies try to make it, just doesn't strike as much of a cord with people. But being able to walk away with free booze, that's something. Or let's say wireless becomes more prevalent in small scale communications. In some buildings, say a grocery store, or school, there's probably going to come a point where it will be cheaper to rig up some form of wireless PA system, rather than running new wires or whatever. With the proper effort, any standardized communication system can be hijacked. Now, admittedly, if it was me, I'd be in the grocery store whispering, "Snausages!" in varying tones of voice over the PA, but I can see all sorts of ways things could go. Suffice to say, hacking computers to most people is still just so much techno-magic. When it has a physical effect that can be directly observed, that will make it something much different. (another possible example, let's say they go to RFID tagging cars, and priority tag police cruisers or other emergency vehicles for getting through traffic lights and whatnot, well, there's another easily imagined opportunity.) Sorry, I'm babbling. In short, when computers are illegal, on criminals will have computers. Okay, I'm done.

Why?

[turtled]

Why is it okay for "agencies" to go and find vulnerabilities in public networks, but as soon as a high school student finds a hole, tells someone, then no onw does anything, he has to exploit it to get noticed, then charged with some stupid "hacker crime"?

Re:Why?

[Grey+Ninja]

The man was just looking to get FREE PORN! Didn't you read TFA?

Oh, I see how it is

I do that, and I go to jail for 5 years. He does it and he's on Slashdot!

OFF TOPIC: /. Poll Locked

[h4rm0ny]

Well where else can you put a comment about comments being blocked?

Anyone explain why the # DVD's ripped poll has been locked?

Anyway, /. discussion normally stems from the first four or five posts, so this question will sink down to the bottom with time anyway.

-H.

Inspiration...

[utopicillusion]

He did it for free porn!!

Security through obscurity

[DragonHawk]

This is a classic case of "security through obscurity". The hotels (or rather, their vendors) are relying on the fact that nobody knows how their system works to keep it secure. They just broadcast everything and figure, "Hey, you need one of our special remotes to do anything, so we're safe".

I think it is important to blame the vendors as well as the hotels. Two days ago I got a sales presentation of a document management system called "DocStar". The sales weasel kept going on and on about security, repeating himself with how it has security "at the level of individual pixels". But whenever I tried to pin him down about how that system is actually secure, he had nothing. As near as I can tell, their whole pitch is "It's secure because we say it is". Right. I'm supposed to take his word for it, when vendors demonstrate over and over, with cases like this, that their security usually amounts to "We hope nobody will ever try to break in".

Gag.

My own experience

[hixie]

I was in a hotel a few months ago, plugged into the free ethernet (for which I was very thankful), checking my e-mail, editing my documents on a remote server, chatting on IRC and browsing work sites (all over SSH, TLS, and SSL). My work consists amongst other things of testing Web browsers, and at one point I had to determine why one browser was not handling some HTTP headers correctly, so I fired up tcpdump to check exactly what headers were going over the wire.

What I saw scared the heck out of me. SQL queries from the hotel reservation system, including things like the results of "SELECT * FROM RESERVATIONS" and "INSERT INTO ROOMS ..." and so on, with full credit card numbers, addresses, names, room numbers, lengths of stays, the works.

Not only was it all unencrypted, but they were broadcasting all that information to every ethernet port in every room. You can just imagine the potential for identity theft and burgalary networks ("he'll be gone til tuesday!"). And I wouldn't be surprised if you could actually just send out your own SQL queries if you wanted to ("I'll be staying for another week, honest!").

Re:My own experience

[Kiaser+Wilhelm+II]

Some of these hotels/motels run pretty amateur operations for their "high speed access", so having a hub wouldn't surprise me at all.

Even if the network is switched, one could just use a simple ARP poisoning tool such as ettercap to poison the MAC address table and make the switch go into "hub mode".

Recently, I was at a Super 8 Motel in Addison, TX for business. I had alot of free time at the motel, so I got in my laptop and used the wireless. The connection was painfully slow, 3000-8000ms pings to everywhere. I fired up ettercap (ARP poisoning isn't nessecary on wireless, but ettercap is still a cool sniffing tool regardless) and saw that some bonehead was saturating the T1 with Gnutella downloads of pornographic pictures.

I could care less that he is looking at porn, but he was hogging all the bandwidth. I solved the problem by "stealing" his IP address and generating some traffic to keep the the ARP table of the motel's router associating the "stolen" IP address with my MAC so that he could not use the internet.

Some other (more useful) comments.

[Randseed]

For what it's worth, I do the same thing sometimes when I'm stuck in traffic at this particular intersection in front of a hotel that provides free 802.11b to their guests. I haven't sniffed the traffic because I'm never there long enough and I don't care either, but I have no doubt that were I to do so I'd get all sorts of juicy cleartext passwords, usernames, network information, and God only knows what else. Oh, and by the way, it also works at my university, which is a major academic institution.

This is because in the interests of usability, these systems do not use WEP. In the case of the university, their security consists of not honoring DHCP requests if the system doesn't know your MAC, and hiding the ESSID. Again, no WEP. I have sat in conferences and watched people checking their email. (That's also good for, how shall we say, 'social intelligence.')

The bottom line is, and always will be, that people need to pay attention to how the technology they use works. If they don't know, then it is to a certain extent their own problem.

To combat this, all my wireless systems, including the ones I use at home, use a VPN to connect to my home router, and then the traffic goes out from there. The VPN uses a cryptographic key for authentication, not a password, and all traffic except for DHCP requests go over it. The best someone can really accomplish at the network level is to bump me off the network, at which point the VPN falls over too, and no data is compromised. The system at home also uses WEP, and requires that all machines connecting over wireless use a VPN to get routed from the router to, well, anywhere, even the LAN.

"But what about after the data leaves your cable modem at home?" That's a valid concern. So any data that I'm really concerned about is encrypted going out of there too. The catch is that, of course, I can't do that all the time, and it could still give someone a lot of intelligence by monitoring the traffic. At that point, though, I have a legitimate beef with the cable company, just as users who plug their computer into a hotel ethernet port (not wireless) have a beef with the hotel if someone in the adjacent room sniffs their traffic.

The sad reality is that most people have absolutely no data security at all. Often times, they give themselves the illusion of security by doing something like using some snake-oil crypto product on their Windows machine, which is still clearly open to a number of software-based attacks. And, of course, if you compromise the hardware, nothing is going to save your ass.

Sitting at home, I see six wireless networks. One of them is mine. Four of them don't have any indication of whose they are, so they get a bit of security through obscurity in terms of someone trying to attack them directly. Nevertheless, three of the four are insecure, and the fourth uses only WEP. Of those three unsecured networks, they're broadcasting all sorts of crap in the clear, and two of the three are ridden with spyware and viruses to the point that I can tell remotely using only passive means.

The last guy got interesting. He removed the confusion about whose network was whose, at least with regard to his, by putting his last name in the SSID. The network is wide open.

This is old news within the hospitality industry

[JoeShmoe]

My first day of work in a hotel, I see a guest come in with a VCR tucked in under his arm. I ask him if he's planning on watching some movies. He says no, he's planning on recording some. He tells me all he has to do is plug in his VCR, tune around until he finds someone watching a movie, then hit record.

Over the years, I've learned a lot more. Basically, the world of hotel entertainment is run by two companies, LodgeNet and OnCommand. Both use almost identical technology. The way it basically works if hotels buy commercial television sets that have a port on the back to control the tuner. An RF interface plugs into this port and allows signals to be sent over the coaxial cable to a server and receive signals from the server.

Let me explain how it works. The hotel puts all the regular television (called free-to-guest in the lingo) on a certain range of channels. The commercial set is then programmed to only allow tuning from the remote in that range. If the guest tried to go higher than say 30, it wraps back to say 2. Entering number from the remote higher than the range won't work either.

Now the remote has some special buttons. Let's say a guest hits the main menu button. The IR receiver on the commercial TV passes the signal to the RF unit, which sends it over the coax to the server. The server starts up up a video stream and outputs it through a video card to a modulator. The server tells the commercial TV "tune to channel 43". Since the guest can't normally tune to this channel, they only way he sees it is when the server tells his TV to tune there. The guest can now interact with the server and only he sees what he is doing because he's the only one the server lets turn to channel 43.

For hotel info, movies, this is how the guest gets the content. If it's a web browser session, it's the same thing only using essentially a terminal server session.

Now, the problem is there's only about a handful of commercial TV sets made. It's not terribly difficult to obtain or borrow a master remote from someone. You can copy the button commands into your PDA or universal remote, then next time you are at a hotel with that brand of television, just tune around until you find something interesting to watch. Or, bring your own tuner like the guy with the VCR or the article talks about.

Some ways hotels are dealing with this is locking off the connection so you can't just plug in a tuner. You can cut the cable, but I wouldn't recommend it if you don't want to be charged for the repair. But the master remotes are still out there and still universally known.

Smaller or older hotels that have regular televisions use a little IR dongle to control the television instead of card that plugs in the back, but it's the same principle.

I've always wondered why warez groups don't pick up on this as a way to get first-run movies. The hospitality window is about two months after a movie hits theaters (just after home pay-per-view but before DVD). The source is either DVD or digitial files downloaded directly to the server, so the quality should be excellent. Just bring an firewire capture card with your laptop and you can release "screener" quality with virtually no risk.

Not that I would ever do something like that of course...just saying...

- JoeShmoe