Slashdot Mirror
Hotel Experience With Android Lightswitches (dreamwidth.org)
jones_supa writes: The hotel in which Matthew Garrett was staying at, had decided that light switches are unfashionable and replaced them with a series of Android tablets. In his tour to the system, one was quickly met with a glitch message "UK_bathroom isn't responding." Anyway, two of the tablets had convenient-looking ethernet cables plugged into the wall, so MacGyver began hacking. He managed to borrow a couple of USB ethernet adapters, set up a transparent bridge and then stick his laptop between the tablet and the wall. Tcpdump showed traffic, and Wireshark revealed that it was Modbus over TCP. Modbus is a pretty trivial protocol, and does not implement authentication. The Pymodbus tool could be used to control lights, turn the TV on/off, and even close and open the curtains. Then he noticed something. His room number was 714. The IP address he was communicating with was 172.16.207.14. They wouldn't, would they? Indeed, he could access the control systems on every floor and query other rooms to figure out whether the lights were on or not, which strongly implies that he could control them as well.
See, this is what you get when you have wink-and-nod, everyone-gets-a-trophy education in the schools instead of teaching people not to be stupid by boxing them on the ears when they get out of line.
If he can query the light status, why not polls every room every two minutes or so - and make a note of which rooms had been on, then were turned off implying the owners had left...
Nothing like being able to know a room will have belongings but is unoccupied to make the burglar's work easy.
On a side note I can't really blame them for matching IP to room number, just from a trouble-shooting perspective... the real problem is lacking unique per-room authentication.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
"Whoever sold this system to the hotel needs to be outed and publicly shamed."
No, they should win salesman of the year. The shaming should go to whoever at the hotel didn't do due diligence, and bought the system.
"National Security is the chief cause of national insecurity." - Celine's First Law
Sounds like they picked ModbusTCP since it is an incredibly easy standard to implement on very cheap devices (think 10 cent microcontrollers).
Tons of existing devices support it too so not a bad choice from a technical perspective.. unless you care about security.
Modbus has zero security, why would it? It was built to run on serial lines and the tcp-implementation is for all intents and purposes just using a tcp-socket instead of a serial line to chuck bytes over the line.
It entirely relies on the physical security of the network.
The same thing is also true for KNX/EIB-control which is used for building automation all over the world. The issue here is that what used to be secure by being obscure and inside sockets on the wall is now just being extended onto tablets with no thoughts about how people will poke around in the system.
Having 'killed' a building by mistake (typoed a path....tripped all breakers in the building :p) via KNX, I know the lack of security being very real in 'live' environments.
This is not at all new, it has just not been a focus for anyone until fairly recently.
Google around for KNX hacks and you'll see plenty of evidence of the shitty systems which are considered "industry standard" for building automation. Sigh.
Welcome to the Internet of really gadamned stupid things.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.