Tencent Security Researcher Fined For Hacking Hotel WiFi and Publishing Internal Network Credentials Online (zdnet.com)

← Back to Stories (view on slashdot.org)

Tencent Security Researcher Fined For Hacking Hotel WiFi and Publishing Internal Network Credentials Online (zdnet.com)

Posted by msmash on Tuesday September 25, 2018 @02:40AM from the "not-cool,-bro"-hotel-guys dept.

Catalin Cimpanu, writing for ZDNet: Singapore authorities have fined a Chinese security researcher with SGD$5,000 (USD$3,600) for hacking into a local hotel's WiFi system without authorization and then publishing a blog post about it, revealing passwords for the hotel's internal network. The incident took place at the end of August, this year, when Zheng Dutao, 23, of China, visited Singapore to attend the Hack In The Box conference that took place in the city. Zheng took it upon himself, without asking for permission first, to hack into the WiFi network of a Fragrance Hotel branch, where he checked in for the conference's duration. The researcher, who works for Chinese internet giant Tencent, hacked into the hotel's internet gateway system, an AntLabs IG3100 device that controls access to the WiFi network for staff and guests alike. He discovered that the device was using a factory default Telnet password, which he used to gain access to a limited shell on the device. [...] The researcher didn't report the security issues to the hotel but instead wrote a blog post about his findings, which he later shared online.

60 comments

Min score:

Reason:

Sort:

Should have Telnet disabled by default by olsmeister · 2018-09-25 02:48 · Score: 1

Time to change the default configuration so that if you want Telnet you have to manually enable it.
1. Re:Should have Telnet disabled by default by Anonymous Coward · 2018-09-25 03:42 · Score: 0
  
  Windows 7 default setting does just that, so if you want Telnet you have to manually enable it.
2. Re:Should have Telnet disabled by default by jrumney · 2018-09-26 00:42 · Score: 1
  
  Windows 7 default setting does just that, so if you want Telnet you have to manually enable it.
  Yeah great solution, that'll stop people from using telnet to log into other peoples' wifi routers.
Hacked? by Nkwe · 2018-09-25 02:49 · Score: 5, Insightful

So trying a default password on a device is "hacking" now? That makes me sad.
1. Re:Hacked? by Anonymous Coward · 2018-09-25 02:52 · Score: 0
  
  admin / admin FTW!
2. Re:Hacked? by bluefoxlucid · 2018-09-25 03:00 · Score: 4, Informative
  
  Well, yes. Also: Summer2018, Fall2018.
  It's bad form to breach someone's network unannounced and then publish their internal passwords on your blog without informing them.
  
  --
  Support my political activism on Patreon.
3. Re:Hacked? by AmiMoJo · 2018-09-25 03:06 · Score: 2
  
  Student does something a bit dumb "with a computer" is a story now? That makes me sad.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
4. Re:Hacked? by Anonymous Coward · 2018-09-25 03:06 · Score: 0
  
  It is bad form not to change the default passwords.
5. Re:Hacked? by phayes · 2018-09-25 03:17 · Score: 2
  
  Had he actually cracked the password, sure, no question but revealing that X is still using the _default_ admin password and is open to anyone using it, not so much. I agree an attempt should have been made to notify the hotel but given how some organizations react when you tell them that they left the door wide open (YOU'RE A HACKER!!! I'M CALLING THE AUTHORITIES!!!), that's not always the best thing to do either.
  
  --
  Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
6. Re:Hacked? by Anonymous Coward · 2018-09-25 03:22 · Score: 0
  
  Yes, in the legal sense. Even the simplest, most pointless access control is still access control. You need explicit or implicit permission to access a system with access control.
7. Re:Hacked? by Anonymous Coward · 2018-09-25 03:41 · Score: 4, Insightful
  
  This may come as a surprise, but in a real world analogy, if a business says to you "you aren't allowed on premise" and you choose to enter any way, you can be arrested even though the doors were unlocked and open to the public. It's called trespassing. So to map real world laws to computers, even if there was no security of any kind, accessing the computer without permission would be digital trespassing and would be illegal. Even if the general public is allowed but only you were specifically forbidden.
8. Re:Hacked? by fibonacci8 · 2018-09-25 03:51 · Score: 1
  
  Hotel does something dumb, with a computer.
  Student checks to see whether hotel has done something dumb, with a computer.
  Student discovers the hotel has indeed done something dumb, with a computer.
  Student uses computer to mention the discovery to other people with computers.
  Hotel decides to shift blame for their mistake to student, probably the good old fashioned way with a phone call to the authorities. Just a hunch though.
  
  --
  Inheritance is the sincerest form of nepotism.
9. Re:Hacked? by Anonymous Coward · 2018-09-25 03:52 · Score: 1
  
  Except some routers have hardcoded admin passwords which can't be changed nor removed.
  Call them intentional backdoors if you will.
  [code]The TELNET service on the ZTE ZXV10 W300 router 2.1.0 has a hardcoded password ending with airocon for the admin account, which allows remote attackers to obtain administrative access by leveraging knowledge of the MAC address characters present at the beginning of the password. [/code]
10. Re:Hacked? by Anonymous Coward · 2018-09-25 03:57 · Score: 0
  
  So, bad form all around? If you have an easily-guessed password, here, have a fine. Oh, and someone guessed it and published it? Fine for them too. Fines for everyone! Fix your shit.
11. Re:Hacked? by squiggleslash · 2018-09-25 04:05 · Score: 2
  
  I recall Linus Torvalds saying that telneting to a Bitkeeper server's service port and typing the word "HELP" amounted to hacking, so our standards are pretty low already.
  
  --
  You are not alone. This is not normal. None of this is normal.
12. Re:Hacked? by Anonymous Coward · 2018-09-25 04:14 · Score: 0
  
  Some ISP branded routers have the wifi key printed on a sticker on the bottom. I hacked my home network the other day! Now I'll have to hack the Windows firewall so I can host a http server and use it to transfer files to that poor Android computer phone whose MTP file transfer host software has failed. But I don't know if I'll have to do a left click or a right click.
13. Re:Hacked? by Guybrush_T · 2018-09-25 04:34 · Score: 1
  
  Yep, it's hardly hacking, and nonetheless stupid from the so-called security researcher.
  I can't count the number of times where I could easily get full access to hotels wireless routers. It's most of the times completely open.
  Once I could even see all the hotel stuff, invoices (they had an overdue internet bill for 3 months), ... That's what happens when hotels install the internet themselves like they do at home.
14. Re:Hacked? by anegg · 2018-09-25 04:49 · Score: 1
  
  accessing the computer without permission would be digital trespassing and would be illegal
  Sure, and "digital trespassing" is wrong (in my opinion). But its not "digital breaking and entering" (what I would consider hacking to be) (again, in my opinion).
15. Re:Hacked? by Anonymous Coward · 2018-09-25 05:03 · Score: 0
  
  No, this is what happens when people don't read manuals.
16. Re:Hacked? by sarren1901 · 2018-09-25 09:10 · Score: 3, Insightful
  
  Try going around an apartment complex "testing" doornobs and see how long before someone confronts you or just outright calls the cops. You aren't allowed to do penetration test of other peoples' property without their permission.
  Just because "its with a computer" doesn't really change anything. Someone leaving their front door unlocked doesn't mean you can come in and wander around. It's still trespassing.
  So really, the article should of said, stupid person that thinks "on a computer" doesn't count.
17. Re:Hacked? by Anonymous Coward · 2018-09-25 09:51 · Score: 0
  
  accessing the computer without permission would be digital trespassing and would be illegal
  Sure, and "digital trespassing" is wrong (in my opinion). But its not "digital breaking and entering" (what I would consider hacking to be) (again, in my opinion).
  Uh, from TFA you obviously did not read:
  "he used various scripts and exploits to elevate his access and eventually discovered the password for a MySQL database that contained information on the hotel's internal Wi-Fi network..."
  You call THAT not breaking and entering? Get the fuck out of here with that stupid shit. Using "various scripts and exploits" is the real-world equivalent of walking up to a house door armed with a dozen bump keys and a 12-gauge door breaching shotgun. You're not just turning the door knob to see if it's unlocked.
18. Re:Hacked? by anegg · 2018-09-25 10:45 · Score: 1
  
  You are right, mea culpa... I didn't read the article. Sigh.
19. Re:Hacked? by Anonymous Coward · 2018-09-25 11:15 · Score: 0
  
  But, it's with a computer
20. Re:Hacked? by Cederic · 2018-09-25 20:17 · Score: 1
  
  Or maybe he should have sought permission before attempting to gain access to the device.
  What he did is a crime in the UK too.
21. Re:Hacked? by phayes · 2018-09-26 00:27 · Score: 1
  
  The sum of what he did, sure especially rooting through the system to find the MySQL database and publish the decyphered password.
  However, unless there was a prelogon banner message warning people off, attempting to logon using the default password and publishing that & the IP would not have been.
  
  --
  Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
22. Re:Hacked? by Cederic · 2018-09-26 00:49 · Score: 1
  
  The moment he's asked to provide credentials and uses a credential not assigned to him he's broken the law.
  There's no grey area here, it's a clear and obvious violation of a security control and a blatantly unauthorised access.
  That the security was shitty is entirely fucking irrelevant, he should never have even known it was shitty.
23. Re:Hacked? by phayes · 2018-09-26 01:53 · Score: 1
  
  So merely attempting to see if the default telnet password is still active on a publicly accessible device is defined as illegal access in the UK? Interesting.
  You need at least a pre-login warning message that the system is not public access and that continuing is exposing you to charges if you continue in France.
  Is doorknob rattling (seeing if the door is locked or not without entering) also illegal in the UK? Port scanning?
  
  --
  Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
24. Re:Hacked? by Cederic · 2018-09-26 02:59 · Score: 1
  
  So merely attempting to see if the default telnet password is still active on a publicly accessible device is defined as illegal access in the UK?
  It's section 1 subsection 1 of the Act. Can't get much simpler than that: https://www.legislation.gov.uk...
  
  You need at least a pre-login warning message that the system is not public access and that continuing is exposing you to charges if you continue in France.
  Most systems in the UK will provide a similar warning, but the law doesn't mandate or require it.
  
  Is doorknob rattling (seeing if the door is locked or not without entering) also illegal in the UK?
  
  Technically even entering isn't illegal. It's a civil offence of trespass, not a criminal one. So no, I suspect not - but the police are likely to treat it as probably cause for searching you and potentially inviting you for a long conversation with them at the station. They may even offer you a cup of coffee.
  
  Port scanning?
  That's complicated, and appears to hinge on 'intent'. See https://www.theregister.co.uk/... for some comedy.
25. Re:Hacked? by Anonymous Coward · 2018-09-26 03:25 · Score: 0
  
  Hacking is such a broad term now, I immediately question what someone means when they use the word.
  "Hacking" is a term the media can and does use to describe the following situations:
  Someone leaves their password on a sticky-note on their desk and you have physical access to that note. Gratz you're now a hacker.
  You know enough details about someone, or talk them into revealing details about themselves that can be used to reset their account password. Hacker.
  You watch someone type their password and memorize it. Or they tell it to you in confidence and you betray that confidence. Hacker.
  Phishing and spoofing e-mails are often described as hacking, despite how easy they are to pull off.
  Physically tailgating into a secured area, acquiring information and then releasing it would likely be called a hack by the media.
  Having legitimate access to information and then releasing it in an anonymous way (whistle blowing) will be called a hack by the media.
  I can go on and on with ridiculous examples of how the word is used (misused? who am I to decide...), but you get the picture.
If he were American by waspleg · 2018-09-25 02:51 · Score: 0

he'd have been charged with life in prison for being a terrorist and whatever else.
1. Re: If he were American by Anonymous Coward · 2018-09-25 02:56 · Score: 0
  
  ... where has that EVER happened to an American?
2. Re: If he were American by Anonymous Coward · 2018-09-25 03:11 · Score: 1
  
  Aaron Schwartz.
3. Re:If he were American by StikyPad · 2018-09-25 03:33 · Score: 1
  
  No need for exaggeration. He'd definitely be charged with a crime for unauthorized access and face jail time if he were in the US, and that's bad enough.
  
  --
  https://www.eff.org/https-everywhere
4. Re:If he were American by infolation · 2018-09-25 03:44 · Score: 1
  
  This took place in Singapore and, as anyone who's ever worked in Singapore knows, almost everything is illegal and punishable by fines, canings, beatings or imprisonment. The authorities fine you $500 for carrying a Durian fruit on the subway...
5. Re:If he were American by Anonymous Coward · 2018-09-25 04:42 · Score: 0
  
  The authorities fine you $500 for carrying a Durian fruit on the subway...
  I know you were presenting it as hyperbolic bureaucratic over reach. But that one isn't as silly as it sounds. Durian has an especially... strong smell. About the same level as your mid-range comic-con on day 2.
6. Re:If he were American by Obfuscant · 2018-09-25 06:30 · Score: 1
  
  No need for exaggeration. He'd definitely be charged with a crime for unauthorized access and face jail time if he were in the US, and that's bad enough.
  Why is that bad? He obtained login credentials that he wasn't authorized to have and posted them for the rest of the world to take advantage of, without telling the hotel that they had a problem.
  Had he stopped at telling the hotel and let them fix it, that would be one thing. He didn't even bother telling them, but he told all his "hacker friends" so they could take advantage of the system.
7. Re:If he were American by Cederic · 2018-09-25 20:18 · Score: 1
  
  I'll be there in a couple of months, so I've been researching in advance.
  Must not import chewing gum!
He did publish passwords by gnasher719 · 2018-09-25 02:59 · Score: 4, Insightful

There was no good reason for that. That's the point where it turned criminal for me. For others the point might have come earlier (I assume that he didn't cause any damage before that).

Bad passwords are no excuse for hacking. It may be a reason to put blame on the hacked organisation as well, especially if they are supposed to keep stuff safe. But primarily it's the hacker's fault, no matter how easy it was.
1. Re:He did publish passwords by mwfischer · 2018-09-25 03:07 · Score: 1
  
  on the plus side this is probably the only time the company will change their passwords
  hopefully
2. Re:He did publish passwords by cascadingstylesheet · 2018-09-25 03:18 · Score: 1
  
  Bad passwords are no excuse for hacking. It may be a reason to put blame on the hacked organisation as well, especially if they are supposed to keep stuff safe. But primarily it's the hacker's fault, no matter how easy it was.
  Yep.
  I've even heard it called "blaming the victim" when easy access is blamed for unwanted entry.
  Can't we just "teach men not to hack"?
3. Re:He did publish passwords by phayes · 2018-09-25 03:21 · Score: 1
  
  Publishing the MySQL password, sure, but revealing that the hotel never changed the default admin telnet password, not so much.
  
  --
  Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
4. Re:He did publish passwords by houghi · 2018-09-25 03:55 · Score: 1
  
  Bad passwords a very good reason for hacking. Obvious hacks are the most important ones. It does not make it ok to post the bad passwords.
  Also not OK to not inform the hotel.
  And a small explanation as to why I think that these easy hacks are so important. It will make it clear for the hacked person that they need to think about what they are doing. Security is not something technical, it is an attitude.
  To often I see people who bever think about security. They just go along with it, never understanding why.
  
  --
  Don't fight for your country, if your country does not fight for you.
5. Re:He did publish passwords by gweihir · 2018-09-25 04:29 · Score: 3, Insightful
  
  I agree. And the term "security researcher" seems to be used quite inflationary these days. An actual researcher would have understood professional ethics.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
6. Re:He did publish passwords by asylumx · 2018-09-25 04:38 · Score: 1
  
  If I enter your home, bypassing your obvious security measures but not breaking anything (picking your locks, perhaps?) are you arguing that I have not yet done anything illegal? In most countries, that is enough to make it criminal. In some US states, this is enough to warrant that the homeowner has the right to take the intruder's life.
7. Re:He did publish passwords by Anonymous Coward · 2018-09-25 05:11 · Score: 0
  
  Would you feel the same if it was a Prison, Library, or Public Records office? Where the key was left in the door and turning it automatically opened not only that door but many inside, including the locked cabinets?
  Would you consider reporting of that a public service or a crime? Now consider that in may cases, the people who run the building just don't care even if you report it to them or worse they sic their lawyers on you.
  The public guests that have a rightful expectation that the hotel took basic precautions to ensure their privacy and protection. If in many cases, the lack thereof are not rectified, do we blame people for going the public shaming route? Because that route is actually getting things fixed.
8. Re:He did publish passwords by Anonymous Coward · 2018-09-25 10:48 · Score: 0
  
  What he did wasn't picking locks. It was opening an unlocked door.
  In insurance terms, locking the door is evidence that you attempted to protect your goods. If you don't lock the door, some insurers won't cover you for stolen goods. Seems analogous to not changing a default password. The hotel wasn't protecting their network.
What he should have done by Anonymous Coward · 2018-09-25 03:14 · Score: 0

Give them better passwords.
It smells bad by nospam007 · 2018-09-25 03:29 · Score: 1

"to hack into the WiFi network of a Fragrance Hotel branch"
If you tell it like that.
We're Chinese we don't follow no stinking rules by Anonymous Coward · 2018-09-25 03:38 · Score: 0

Just sayin...
1. Re:We're Chinese we don't follow no stinking rules by Anonymous Coward · 2018-09-25 03:48 · Score: 0
  
  Exactly! Thanks for the laugh.
Orgs don't like looking stupid by Anonymous Coward · 2018-09-25 04:05 · Score: 0

Organizations don't like looking stupid in public.
Especially when they are stupid.
This was why the state of Georgia in the USA was trying to push through a new cyber security law this year - because someone accessed state voting information by changing a URL from HTTPS to HTTP. They (the state's lawyers) called that "hacking." It was more about making the Secretary of State look stupid. We tried to work with the representatives to make a good law, but they refused. That's putting it nicely. They didn't want to discuss any options or changes at all. The new law was written by the state's attorneys. They wanted a yes/no vote in the two houses and got it approved. That Dog that the governor, who is leaving office, refused to sign it into law. Sadly, the next governor will be the SoS who setup the voting systems and has been screwing over Georgians. And he's the better choice on the ballot.
The law got backing from companies in the state, because it would make any access, even without "hacking" for things that weren't meant to be available, a crime. Delete an "S", be convicted of a crime. Total BS.
Don't embarrass organizations, even when that is the only way to get any movement towards security from them.
Sad, so sad.
1. Re:Orgs don't like looking stupid by Anonymous Coward · 2018-09-25 05:48 · Score: 0
  
  It's still hacking, it's just skid level hacking.
2. Re:Orgs don't like looking stupid by Anonymous Coward · 2018-09-25 09:24 · Score: 0
  
  It is not your responsibility or privilege to "show them" how bad they are at security. If you disapprove of their security, don't do business with them.
Tencent by DaMattster · 2018-09-25 05:54 · Score: 1

Tencent, along with QQ, represents the shithole of the internet. I've had to block their entire assignment of IP addresses because nothing but intrusion and spam-sending attempts come from them. Good riddance!
What The Fuck? by Anonymous Coward · 2018-09-25 06:39 · Score: 0

What the Fuck with these people being called, "researchers"?
That's like calling a burglar a Security Consultant.
Fuck you. Execute this Piece of shit and hang his body from a bridge.
1. Re: What The Fuck? by Anonymous Coward · 2018-09-25 16:41 · Score: 0
  
  Seems a little excessive for compromising some hotel WiFi
Poor hotel? What about the consumers? by Anonymous Coward · 2018-09-25 08:03 · Score: 0

I don't get the people talking of "what about the poor hotel?"
What about the poor customers? What about the thousands upon thousands of people who are at greater risk to theft and extortion because of the hotel's gross negligence?
I agree that the researcher making a public blog post without informing the hotel was a tacky thing to do, but the only victim of bad security isn't the business. The business isn't even the main victim. It's the many, many consumers who the business advertises its services to.
1. Re: Poor hotel? What about the consumers? by edris90 · 2018-09-26 03:57 · Score: 1
  
  The potential for harm to the customer service of that hotel, if not fully informed about the lack of security on the hotel network, outweighs the concern for the hotel who was negligent in securing their IT.
2. Re: Poor hotel? What about the consumers? by edris90 · 2018-09-26 03:58 · Score: 1
  
  Correction. The customers served by the hotel
useles news by nazsco · 2018-09-26 05:42 · Score: 1

and no link to blog post so I can decide myself if that was a hack or just using the default password.