Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tencent Security Researcher Fined For Hacking Hotel WiFi and Publishing Internal Network Credentials Online (zdnet.com)

Posted by msmash on from the "not-cool,-bro"-hotel-guys dept.

Catalin Cimpanu, writing for ZDNet: Singapore authorities have fined a Chinese security researcher with SGD$5,000 (USD$3,600) for hacking into a local hotel's WiFi system without authorization and then publishing a blog post about it, revealing passwords for the hotel's internal network. The incident took place at the end of August, this year, when Zheng Dutao, 23, of China, visited Singapore to attend the Hack In The Box conference that took place in the city. Zheng took it upon himself, without asking for permission first, to hack into the WiFi network of a Fragrance Hotel branch, where he checked in for the conference's duration. The researcher, who works for Chinese internet giant Tencent, hacked into the hotel's internet gateway system, an AntLabs IG3100 device that controls access to the WiFi network for staff and guests alike. He discovered that the device was using a factory default Telnet password, which he used to gain access to a limited shell on the device. [...] The researcher didn't report the security issues to the hotel but instead wrote a blog post about his findings, which he later shared online.

36 of 60 comments (clear)

  1. Should have Telnet disabled by default by olsmeister · · Score: 1

    Time to change the default configuration so that if you want Telnet you have to manually enable it.

    1. Re:Should have Telnet disabled by default by jrumney · · Score: 1

      Windows 7 default setting does just that, so if you want Telnet you have to manually enable it.

      Yeah great solution, that'll stop people from using telnet to log into other peoples' wifi routers.

  2. Hacked? by Nkwe · · Score: 5, Insightful

    So trying a default password on a device is "hacking" now? That makes me sad.

    1. Re:Hacked? by bluefoxlucid · · Score: 4, Informative

      Well, yes. Also: Summer2018, Fall2018.

      It's bad form to breach someone's network unannounced and then publish their internal passwords on your blog without informing them.

      --
      Support my political activism on Patreon.
    2. Re:Hacked? by AmiMoJo · · Score: 2

      Student does something a bit dumb "with a computer" is a story now? That makes me sad.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:Hacked? by phayes · · Score: 2

      Had he actually cracked the password, sure, no question but revealing that X is still using the _default_ admin password and is open to anyone using it, not so much. I agree an attempt should have been made to notify the hotel but given how some organizations react when you tell them that they left the door wide open (YOU'RE A HACKER!!! I'M CALLING THE AUTHORITIES!!!), that's not always the best thing to do either.

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
    4. Re:Hacked? by Anonymous Coward · · Score: 4, Insightful

      This may come as a surprise, but in a real world analogy, if a business says to you "you aren't allowed on premise" and you choose to enter any way, you can be arrested even though the doors were unlocked and open to the public. It's called trespassing. So to map real world laws to computers, even if there was no security of any kind, accessing the computer without permission would be digital trespassing and would be illegal. Even if the general public is allowed but only you were specifically forbidden.

    5. Re:Hacked? by fibonacci8 · · Score: 1

      Hotel does something dumb, with a computer.
      Student checks to see whether hotel has done something dumb, with a computer.
      Student discovers the hotel has indeed done something dumb, with a computer.
      Student uses computer to mention the discovery to other people with computers.
      Hotel decides to shift blame for their mistake to student, probably the good old fashioned way with a phone call to the authorities. Just a hunch though.

      --
      Inheritance is the sincerest form of nepotism.
    6. Re:Hacked? by Anonymous Coward · · Score: 1

      Except some routers have hardcoded admin passwords which can't be changed nor removed.
      Call them intentional backdoors if you will.

      [code]The TELNET service on the ZTE ZXV10 W300 router 2.1.0 has a hardcoded password ending with airocon for the admin account, which allows remote attackers to obtain administrative access by leveraging knowledge of the MAC address characters present at the beginning of the password. [/code]

    7. Re:Hacked? by squiggleslash · · Score: 2

      I recall Linus Torvalds saying that telneting to a Bitkeeper server's service port and typing the word "HELP" amounted to hacking, so our standards are pretty low already.

      --
      You are not alone. This is not normal. None of this is normal.
    8. Re:Hacked? by Guybrush_T · · Score: 1

      Yep, it's hardly hacking, and nonetheless stupid from the so-called security researcher.

      I can't count the number of times where I could easily get full access to hotels wireless routers. It's most of the times completely open.

      Once I could even see all the hotel stuff, invoices (they had an overdue internet bill for 3 months), ... That's what happens when hotels install the internet themselves like they do at home.

    9. Re:Hacked? by anegg · · Score: 1

      accessing the computer without permission would be digital trespassing and would be illegal

      Sure, and "digital trespassing" is wrong (in my opinion). But its not "digital breaking and entering" (what I would consider hacking to be) (again, in my opinion).

    10. Re:Hacked? by sarren1901 · · Score: 3, Insightful

      Try going around an apartment complex "testing" doornobs and see how long before someone confronts you or just outright calls the cops. You aren't allowed to do penetration test of other peoples' property without their permission.

      Just because "its with a computer" doesn't really change anything. Someone leaving their front door unlocked doesn't mean you can come in and wander around. It's still trespassing.

      So really, the article should of said, stupid person that thinks "on a computer" doesn't count.

    11. Re:Hacked? by anegg · · Score: 1

      You are right, mea culpa... I didn't read the article. Sigh.

    12. Re:Hacked? by Cederic · · Score: 1

      Or maybe he should have sought permission before attempting to gain access to the device.

      What he did is a crime in the UK too.

    13. Re:Hacked? by phayes · · Score: 1

      The sum of what he did, sure especially rooting through the system to find the MySQL database and publish the decyphered password.

      However, unless there was a prelogon banner message warning people off, attempting to logon using the default password and publishing that & the IP would not have been.

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
    14. Re:Hacked? by Cederic · · Score: 1

      The moment he's asked to provide credentials and uses a credential not assigned to him he's broken the law.

      There's no grey area here, it's a clear and obvious violation of a security control and a blatantly unauthorised access.

      That the security was shitty is entirely fucking irrelevant, he should never have even known it was shitty.

    15. Re:Hacked? by phayes · · Score: 1

      So merely attempting to see if the default telnet password is still active on a publicly accessible device is defined as illegal access in the UK? Interesting.

      You need at least a pre-login warning message that the system is not public access and that continuing is exposing you to charges if you continue in France.

      Is doorknob rattling (seeing if the door is locked or not without entering) also illegal in the UK? Port scanning?

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
    16. Re:Hacked? by Cederic · · Score: 1

      So merely attempting to see if the default telnet password is still active on a publicly accessible device is defined as illegal access in the UK?

      It's section 1 subsection 1 of the Act. Can't get much simpler than that: https://www.legislation.gov.uk...

      You need at least a pre-login warning message that the system is not public access and that continuing is exposing you to charges if you continue in France.

      Most systems in the UK will provide a similar warning, but the law doesn't mandate or require it.

      Is doorknob rattling (seeing if the door is locked or not without entering) also illegal in the UK?

      Technically even entering isn't illegal. It's a civil offence of trespass, not a criminal one. So no, I suspect not - but the police are likely to treat it as probably cause for searching you and potentially inviting you for a long conversation with them at the station. They may even offer you a cup of coffee.

      Port scanning?

      That's complicated, and appears to hinge on 'intent'. See https://www.theregister.co.uk/... for some comedy.

  3. He did publish passwords by gnasher719 · · Score: 4, Insightful

    There was no good reason for that. That's the point where it turned criminal for me. For others the point might have come earlier (I assume that he didn't cause any damage before that).

    Bad passwords are no excuse for hacking. It may be a reason to put blame on the hacked organisation as well, especially if they are supposed to keep stuff safe. But primarily it's the hacker's fault, no matter how easy it was.

    1. Re:He did publish passwords by mwfischer · · Score: 1

      on the plus side this is probably the only time the company will change their passwords

      hopefully

    2. Re:He did publish passwords by cascadingstylesheet · · Score: 1

      Bad passwords are no excuse for hacking. It may be a reason to put blame on the hacked organisation as well, especially if they are supposed to keep stuff safe. But primarily it's the hacker's fault, no matter how easy it was.

      Yep.

      I've even heard it called "blaming the victim" when easy access is blamed for unwanted entry.

      Can't we just "teach men not to hack"?

    3. Re:He did publish passwords by phayes · · Score: 1

      Publishing the MySQL password, sure, but revealing that the hotel never changed the default admin telnet password, not so much.

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
    4. Re:He did publish passwords by houghi · · Score: 1

      Bad passwords a very good reason for hacking. Obvious hacks are the most important ones. It does not make it ok to post the bad passwords.

      Also not OK to not inform the hotel.

      And a small explanation as to why I think that these easy hacks are so important. It will make it clear for the hacked person that they need to think about what they are doing. Security is not something technical, it is an attitude.

      To often I see people who bever think about security. They just go along with it, never understanding why.

      --
      Don't fight for your country, if your country does not fight for you.
    5. Re:He did publish passwords by gweihir · · Score: 3, Insightful

      I agree. And the term "security researcher" seems to be used quite inflationary these days. An actual researcher would have understood professional ethics.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    6. Re:He did publish passwords by asylumx · · Score: 1

      If I enter your home, bypassing your obvious security measures but not breaking anything (picking your locks, perhaps?) are you arguing that I have not yet done anything illegal? In most countries, that is enough to make it criminal. In some US states, this is enough to warrant that the homeowner has the right to take the intruder's life.

  4. Re: If he were American by Anonymous Coward · · Score: 1

    Aaron Schwartz.

  5. It smells bad by nospam007 · · Score: 1

    "to hack into the WiFi network of a Fragrance Hotel branch"

    If you tell it like that.

  6. Re:If he were American by StikyPad · · Score: 1

    No need for exaggeration. He'd definitely be charged with a crime for unauthorized access and face jail time if he were in the US, and that's bad enough.

    --
    https://www.eff.org/https-everywhere
  7. Re:If he were American by infolation · · Score: 1

    This took place in Singapore and, as anyone who's ever worked in Singapore knows, almost everything is illegal and punishable by fines, canings, beatings or imprisonment. The authorities fine you $500 for carrying a Durian fruit on the subway...

  8. Tencent by DaMattster · · Score: 1

    Tencent, along with QQ, represents the shithole of the internet. I've had to block their entire assignment of IP addresses because nothing but intrusion and spam-sending attempts come from them. Good riddance!

  9. Re:If he were American by Obfuscant · · Score: 1

    No need for exaggeration. He'd definitely be charged with a crime for unauthorized access and face jail time if he were in the US, and that's bad enough.

    Why is that bad? He obtained login credentials that he wasn't authorized to have and posted them for the rest of the world to take advantage of, without telling the hotel that they had a problem.

    Had he stopped at telling the hotel and let them fix it, that would be one thing. He didn't even bother telling them, but he told all his "hacker friends" so they could take advantage of the system.

  10. Re:If he were American by Cederic · · Score: 1

    I'll be there in a couple of months, so I've been researching in advance.

    Must not import chewing gum!

  11. Re: Poor hotel? What about the consumers? by edris90 · · Score: 1

    The potential for harm to the customer service of that hotel, if not fully informed about the lack of security on the hotel network, outweighs the concern for the hotel who was negligent in securing their IT.

  12. Re: Poor hotel? What about the consumers? by edris90 · · Score: 1

    Correction. The customers served by the hotel

  13. useles news by nazsco · · Score: 1

    and no link to blog post so I can decide myself if that was a hack or just using the default password.