Hotel Experience With Android Lightswitches

jones_supa writes: The hotel in which Matthew Garrett was staying at, had decided that light switches are unfashionable and replaced them with a series of Android tablets. In his tour to the system, one was quickly met with a glitch message "UK_bathroom isn't responding." Anyway, two of the tablets had convenient-looking ethernet cables plugged into the wall, so MacGyver began hacking. He managed to borrow a couple of USB ethernet adapters, set up a transparent bridge and then stick his laptop between the tablet and the wall. Tcpdump showed traffic, and Wireshark revealed that it was Modbus over TCP. Modbus is a pretty trivial protocol, and does not implement authentication. The Pymodbus tool could be used to control lights, turn the TV on/off, and even close and open the curtains. Then he noticed something. His room number was 714. The IP address he was communicating with was 172.16.207.14. They wouldn't, would they? Indeed, he could access the control systems on every floor and query other rooms to figure out whether the lights were on or not, which strongly implies that he could control them as well.

A timothy by any other name ...

[edittard]

The hotel in which Matthew Garrett was staying at

He should check his bill in case they charged him twice.

Hotel Cheaped out.

[Lumpy]

If they used a REAL control system this would not be the issue. but instead they tried to do it as cheap as possible using consumer crap.

Tablets at the light switches is insanely stupid as well. real automation lighting systems still have physical buttons at entryways and doorways for the lights.

Whoever sold this system to the hotel needs to be outed and publicly shamed.

Re:Hotel Cheaped out.

[msauve]

"Whoever sold this system to the hotel needs to be outed and publicly shamed."

No, they should win salesman of the year. The shaming should go to whoever at the hotel didn't do due diligence, and bought the system.

Re:Hotel Cheaped out.

[omglolbah]

Sounds like they picked ModbusTCP since it is an incredibly easy standard to implement on very cheap devices (think 10 cent microcontrollers).
Tons of existing devices support it too so not a bad choice from a technical perspective.. unless you care about security.

Modbus has zero security, why would it? It was built to run on serial lines and the tcp-implementation is for all intents and purposes just using a tcp-socket instead of a serial line to chuck bytes over the line.

It entirely relies on the physical security of the network.
The same thing is also true for KNX/EIB-control which is used for building automation all over the world. The issue here is that what used to be secure by being obscure and inside sockets on the wall is now just being extended onto tablets with no thoughts about how people will poke around in the system.

Having 'killed' a building by mistake (typoed a path....tripped all breakers in the building :p) via KNX, I know the lack of security being very real in 'live' environments.

This is not at all new, it has just not been a focus for anyone until fairly recently.
Google around for KNX hacks and you'll see plenty of evidence of the shitty systems which are considered "industry standard" for building automation. Sigh.

Re:Hotel Cheaped out.

[geoskd]

If they used a REAL control system this would not be the issue.

I can only assume that by "REAL control system" you mean industrial / commercial control system. There are two basic problems with that:

First, The Modbus over TCP protocol *IS* the standard system for industrial controls systems, and has been for over 30 years. This is part of the problem with industrial control systems, and one of the key reasons why SCADA is immediately associated with security fail.

Second, there are *no* proper control systems that are designed to display controls for end users that are both acceptable for customer facing interfaces, and reasonably priced. There are any number of engineering firms out there that will custom design a solution for you, and almost all of them would come up with a system similar to what TFA describes. The reason for that is because security is damn difficult. Because of what security has to accomplish, it has to be built into the very core of the systems design, but it has absolutely no affect on the operation of the system during "normal" use, so it is very easy to demonstrate a working system that has zero security, and the customer would not have any immediately obvious indication that the system has a flaw. There is no other part of the design requirements for a project like this where, parts of the requirements can be absent and the system still functions.

Re:Hotel Cheaped out.

[fgouget]

"Whoever sold this system to the hotel needs to be outed and publicly shamed." No, they should win salesman of the year. The shaming should go to whoever at the hotel didn't do due diligence, and bought the system.

I hope this is sarcastic because otherwise it sounds like you think every scam should be legalized and the blame put squarely on the victims.

Re:Hotel Cheaped out.

[nnull]

Lots of "Industry Standard" stuff that is just not right with the times and plenty of those people will argue against changing.

Re:Hotel Cheaped out.

[thegarbz]

No, they should win salesman of the year. The shaming should go to whoever at the hotel didn't do due diligence, and bought the system.

They did their due diligence. It runs Modbus TCP. That's like an industry standard man. Everyone uses that. It must be good!

Screw control, monitoring more interesting...

[SuperKendall]

If he can query the light status, why not polls every room every two minutes or so - and make a note of which rooms had been on, then were turned off implying the owners had left...

Nothing like being able to know a room will have belongings but is unoccupied to make the burglar's work easy.

On a side note I can't really blame them for matching IP to room number, just from a trouble-shooting perspective... the real problem is lacking unique per-room authentication.

Re:A solution in search of a problem..

[DavidRawling]

That's a ~95% solved problem and has been for decades. Room key on thick plastic block, block goes in a cradle inside the door, activating power to the room. Pull the key to leave and everything goes off.

Worked in the 90's at least when I started traveling for work, and it wasn't just in big city hotels then. Perspex blocks don't have to be smudge-free, don't need extra power of their own, won't break down, are significantly cheaper, can't be trivially hacked to screw with every other room in the hotel - no this is a solution looking for a problem.

Because

[Ol+Olsoc]

Those old fashioned light swtches were just too reliable.

Welcome to the Internet of really gadamned stupid things.

Re:A solution in search of a problem..

[Xolotl]

You put the keycard (these days its more often chip based I think, but anyway) in the cradle by the door and it has the same effect (turn on/off thelights etc), usually except for one power socket which is used for the fridge. Two guests get two keycards so one is always in the room with them. Simple ... works this way across the world.

Re:A solution in search of a problem..

[ericloewe]

"Totally" is a severe exaggeration. Smartasses are never easy to deal with, but they do solve the problem 99% of times.

Also, most people don't just carry around random credit card-sized cards that they're willing to leave behind for a little added convenience.

Tetris?

[SpaghettiPattern]

So, eventually, was he able to play tetris with the hotel as display?