How Your Next Hotel Room Could Be Hacked

Credit: Atiketta Sangasaeng/ShutterstockCredit: Atiketta Sangasaeng/Shutterstock

A guest checks into a hotel room and sits down on the bed for a relaxing bit of television. He picks up the hotel-supplied tablet and sets the curtains to close, the TV to switch to his favorite news program and the lights to dim.

Instead, the curtains open and close, the toilet flushes and the lights start flashing on and off. The air-conditioning blasts and the temperature drops.

This might sound like a scene from a bad comedy or a horror movie. But it isn't poltergeists: it's the work of a hacker who has compromised the hotel's room-control systems. With the advent of the Internet of Things, the same thing could happen in a home.

MORE: 12 Things You Didn't Know Could Be Hacked

A real hotel hack was accomplished at the St. Regis in Shenzhen, China, by independent security researcher Jesus Molina, who will be presenting his work at the Black Hat security conference in Las Vegas this August.

The hotel offers an iPad 2 to guests, allowing remote control of drapes, air-conditioning, TV and the like. With a little tinkering, Molina found that he could use it to take control of any room in the hotel.

While he didn't go into technical details about how he was able to take control of the hotel's central controls — he's saving that for Black Hat — the principle, Molina said, is simple: reverse-engineering the protocols used by the iPad for the wireless communications with the hotel.

Networks that weren't designed with security in mind

Molina was able to do so because the hotel was using an old wired communications protocol called KNX that was never designed for use as a wireless protocol. Security was never part of it, Molina said, and there was simply no authentication built in.

That lack of security allowed Molina to create his own network client and take over any room in the hotel. The "bridge" from the KNX protocol to the iPad 2 can make any iPad 2 into a client, connected via the Internet, which means Molina's prank on the Shenzhen St. Regis can be pulled from anywhere.

Molina said such issues are forcing people to rethink how we set up the Internet of Things.

"The solution is to rethink the strategy and provide a way for me to be connected to the room, instead of using an iPad, which not only was insecure, as proven, but terribly cumbersome," Molina wrote in an email.

This is especially true because the Internet of Things involves more than just connecting a home network to the Internet to control your porch lights.

"Things we carry will provide semantic information to a cloud-based system, which will in turn connect with other things," Molina said. "The information provided by them can be cross-correlated and processed, so if you are sad coming home (the trackers can detect our mood and location) a drone will be sent to get you flowers, and when you arrive, your Roku will play your favorite song."

The problem is that the protocols to do this safely and securely haven't really been developed yet. Molina noted that the advent of software-defined radios (SDRs) will make the security problems even more acute, since even if different systems use different protocols — a cumbersome situation for developers and hackers alike — a good SDR can enable a hacker to reverse-engineer it quickly.

How to stop hotel-room hackers

Companies that build hotel control systems are already grappling with the problem. Bill Schafer, senior director of lighting controls at Crestron, a Rockleigh, New Jersey-based automation-systems maker, noted that at the Revel Casino Hotel in Atlantic City, the network that controls the rooms had to be largely separated from the ones that handle the hotel's other business, and both of those are separate from the network used by guests for Internet access.

Frank Bonini, executive director of property technology at the Revel, said that the networks are set up with secure ports, and that if anyone tried to connect another device to the room-control network, it would shut down access. The devices in the rooms are Android tablets made by Cisco, set up so that their capabilities are limited.

At Evolve, a Port Washington, New York-based vendor of hotel-automation systems, chief technology officer Haig Didizian said the company uses a protocol called Z-Wave, connected through Microsoft's Azure platform. The systems are set up so that only a very limited amount of data can get from the device in the room to the control system.

"You could hack the tablet, but then it would only talk to the server," Didizian said.

That doesn't mean some networks aren't badly designed. Schafer bid on one job where he found that a hotel system was being run from a server that had open ports connected to several other buildings. The original network might have been set up for convenience — it meant that one could diagnose problems from any location — but it also was a wide open door to hackers of all kinds.

"I am sitting in front of this building in my car, looking at controls of a major museum in Manhattan," Schafer recalled, describing how he could hop onto the hotel's network wirelessly, then use it to access control networks of unrelated facilities. (Crestron took the job and fixed the problem).

The vulnerabilities get even scarier when one thinks of the Internet of Things in terms of devices such as drones, which Amazon recently proposed as a way to deliver packages. A hacker with a software-defined radio could produce a lot of havoc with drones.

While we want and need security, though, problems arise when we also want usability. Yet it's hard to design a user-friendly hotel network in a secure fashion. There has to be a way to authenticate who is connecting to what, but a password-based hotel-room-control system, as found on a home W-Fi network, probably isn’t workable.

"You don't want to have to enter a password to use the coffee maker," Molina said.

Follow us @tomsguide, on Facebook and on Google+.

This thread is closed for comments
    Your comment
  • Just makes me think of all the cool ideas that can't be done because having enough security costs so much, there's too little incentive left.
  • From what I've read this is about as like hacking as leaving a window open is to breaking an entering.
  • modbus, bacnet, lonmark - why can't they just wrap them in an SSL layer?