Sign in with
Sign up | Sign in

How Your Next Hotel Room Could Be Hacked

By - Source: Tom's Guide US | B 9 comments

Credit: Atiketta Sangasaeng/ShutterstockCredit: Atiketta Sangasaeng/Shutterstock

A guest checks into a hotel room and sits down on the bed for a relaxing bit of television. He picks up the hotel-supplied tablet and sets the curtains to close, the TV to switch to his favorite news program and the lights to dim.

Instead, the curtains open and close, the toilet flushes and the lights start flashing on and off. The air-conditioning blasts and the temperature drops.

This might sound like a scene from a bad comedy or a horror movie. But it isn't poltergeists: it's the work of a hacker who has compromised the hotel's room-control systems. With the advent of the Internet of Things, the same thing could happen in a home.

MORE: 12 Things You Didn't Know Could Be Hacked

A real hotel hack was accomplished at the St. Regis in Shenzhen, China, by independent security researcher Jesus Molina, who will be presenting his work at the Black Hat security conference in Las Vegas this August.

The hotel offers an iPad 2 to guests, allowing remote control of drapes, air-conditioning, TV and the like. With a little tinkering, Molina found that he could use it to take control of any room in the hotel.

While he didn't go into technical details about how he was able to take control of the hotel's central controls — he's saving that for Black Hat — the principle, Molina said, is simple: reverse-engineering the protocols used by the iPad for the wireless communications with the hotel.

Networks that weren't designed with security in mind

Molina was able to do so because the hotel was using an old wired communications protocol called KNX that was never designed for use as a wireless protocol. Security was never part of it, Molina said, and there was simply no authentication built in.

That lack of security allowed Molina to create his own network client and take over any room in the hotel. The "bridge" from the KNX protocol to the iPad 2 can make any iPad 2 into a client, connected via the Internet, which means Molina's prank on the Shenzhen St. Regis can be pulled from anywhere.

Molina said such issues are forcing people to rethink how we set up the Internet of Things.

"The solution is to rethink the strategy and provide a way for me to be connected to the room, instead of using an iPad, which not only was insecure, as proven, but terribly cumbersome," Molina wrote in an email.

This is especially true because the Internet of Things involves more than just connecting a home network to the Internet to control your porch lights.

"Things we carry will provide semantic information to a cloud-based system, which will in turn connect with other things," Molina said. "The information provided by them can be cross-correlated and processed, so if you are sad coming home (the trackers can detect our mood and location) a drone will be sent to get you flowers, and when you arrive, your Roku will play your favorite song."

The problem is that the protocols to do this safely and securely haven't really been developed yet. Molina noted that the advent of software-defined radios (SDRs) will make the security problems even more acute, since even if different systems use different protocols — a cumbersome situation for developers and hackers alike — a good SDR can enable a hacker to reverse-engineer it quickly.

How to stop hotel-room hackers

Companies that build hotel control systems are already grappling with the problem. Bill Schafer, senior director of lighting controls at Crestron, a Rockleigh, New Jersey-based automation-systems maker, noted that at the Revel Casino Hotel in Atlantic City, the network that controls the rooms had to be largely separated from the ones that handle the hotel's other business, and both of those are separate from the network used by guests for Internet access.

Frank Bonini, executive director of property technology at the Revel, said that the networks are set up with secure ports, and that if anyone tried to connect another device to the room-control network, it would shut down access. The devices in the rooms are Android tablets made by Cisco, set up so that their capabilities are limited.

At Evolve, a Port Washington, New York-based vendor of hotel-automation systems, chief technology officer Haig Didizian said the company uses a protocol called Z-Wave, connected through Microsoft's Azure platform. The systems are set up so that only a very limited amount of data can get from the device in the room to the control system.

"You could hack the tablet, but then it would only talk to the server," Didizian said.

That doesn't mean some networks aren't badly designed. Schafer bid on one job where he found that a hotel system was being run from a server that had open ports connected to several other buildings. The original network might have been set up for convenience — it meant that one could diagnose problems from any location — but it also was a wide open door to hackers of all kinds.

"I am sitting in front of this building in my car, looking at controls of a major museum in Manhattan," Schafer recalled, describing how he could hop onto the hotel's network wirelessly, then use it to access control networks of unrelated facilities. (Crestron took the job and fixed the problem).

The vulnerabilities get even scarier when one thinks of the Internet of Things in terms of devices such as drones, which Amazon recently proposed as a way to deliver packages. A hacker with a software-defined radio could produce a lot of havoc with drones.

While we want and need security, though, problems arise when we also want usability. Yet it's hard to design a user-friendly hotel network in a secure fashion. There has to be a way to authenticate who is connecting to what, but a password-based hotel-room-control system, as found on a home W-Fi network, probably isn’t workable.

"You don't want to have to enter a password to use the coffee maker," Molina said.

Follow us @tomsguide, on Facebook and on Google+.

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 0 Hide
    clonazepam , June 27, 2014 12:50 PM
    Just makes me think of all the cool ideas that can't be done because having enough security costs so much, there's too little incentive left.
  • 0 Hide
    mouse24 , June 27, 2014 2:29 PM
    From what I've read this is about as like hacking as leaving a window open is to breaking an entering.
  • 0 Hide
    hoofhearted , June 28, 2014 5:30 AM
    modbus, bacnet, lonmark - why can't they just wrap them in an SSL layer?
  • Display all 9 comments.
  • 0 Hide
    hoofhearted , June 28, 2014 5:34 AM
    Hack the elevator:
    http://www.computrols.com/products/#access-controls
  • 1 Hide
    Anakha00 , June 29, 2014 2:16 PM
    I feel like a very simple and relatively cheap security solution would be to make hotel room keys smart cards and just attach a smart card reader to the tablet/phone device being used to control the room. Add in the fact that hotels can say that smart cards are more expensive than the standard magnetic strip cards so they'll charge your credit card if you fail to turn it in at checkout and I think they'll eat it up.
  • 1 Hide
    digitalexplosives , June 29, 2014 11:53 PM
    So he hacked a system that he already had access to it because he was a guest... now try that from outside the building on another network. Most of these type of systems are not connected to the outside world because if they were then all kinds of shit would stop working.

    Most of them are running off 20 year old software still humming away in a cupboard somewhere on 20 year old hardware as the owners have no clue and purchased the system and then never followed up on maintenance.
  • -1 Hide
    cats_Paw , June 30, 2014 3:55 AM
    Everyone can, give enought time, break throu anything.
    Let me give you a blunt example:
    2 Individuals want to rob a bank.
    A) is a hacker with a decent job
    B) is a gangbanger with no job.

    A) has more way to do it safely but looses more if gets caught.
    B) has little to lose but higher risk of getting caught.

    Everything can be done if you are motivated enought and are willing to pay the price...
    I doubt a lot of hackers who have a lot to loose will start hacking into girls tablets on hotels to see them naked where it could mean the same jail time as hiring a prostitue.... probably more.

    Then agian, the world is full of idiots.
  • -1 Hide
    spdragoo , June 30, 2014 4:11 AM
    OK...just how lazy does someone have to be that they need a hotel-provided device to "remotely" open/close the curtains or adjust the A/C? I'm sorry, but hotel rooms are not that large. You're what, 10, maybe 15 feet tops, away from any particular section of the room? And you can't get off your butt to adjust the A/C -- which, BTW, is probably the first thing I adjust when I walk into a hotel room, since they never have it set cold enough -- or flip off a light switch? Especially when the light switch for the main room light is by the bathroom -- unless you just plan on "letting it go" & just wallowing in your own filth all night -- or, more importantly, the bedside lights are right by your head and have their own switches. And how about the fact that it's a longer walk from the parking lot to the front desk than it is from the balcony window to the room door, yet you somehow managed to make it that far without demanding an Egyptian-style divan carried by 4 muscular guys.

    The only time this makes sense...is for a handicap-accessible room for someone who is physically unable to move at all, or for whom even walking 10 feet across a room is as physically demanding as it would be for a normal person to run a marathon without any prior training or preparation. For them, it makes sense. For those of us in at least halfway decent health, it's pure, 100% laziness to even want this.
  • 0 Hide
    spdragoo , June 30, 2014 4:12 AM
    OK...just how lazy does someone have to be that they need a hotel-provided device to "remotely" open/close the curtains or adjust the A/C? I'm sorry, but hotel rooms are not that large. You're what, 10, maybe 15 feet tops, away from any particular section of the room? And you can't get off your butt to adjust the A/C -- which, BTW, is probably the first thing I adjust when I walk into a hotel room, since they never have it set cold enough -- or flip off a light switch? Especially when the light switch for the main room light is by the bathroom -- unless you just plan on "letting it go" & just wallowing in your own filth all night -- or, more importantly, the bedside lights are right by your head and have their own switches. And how about the fact that it's a longer walk from the parking lot to the front desk than it is from the balcony window to the room door, yet you somehow managed to make it that far without demanding an Egyptian-style divan carried by 4 muscular guys.

    The only time this makes sense...is for a handicap-accessible room for someone who is physically unable to move at all, or for whom even walking 10 feet across a room is as physically demanding as it would be for a normal person to run a marathon without any prior training or preparation. For them, it makes sense. For those of us in at least halfway decent health, it's pure, 100% laziness to even want this.
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter