Hotel light control hack illuminates lamentable state of IoT security
FSF board member with time on his hands highlights hole
An attendee at the KubeCon Kubernetes conference in London has exposed a serious lack of network security in the hotel where he was staying.
Matthew Garrett, a security researcher for CoreOS and a board member of the Free Software Foundation, was in his hotel when he noticed the establishment had replaced the light switches with little Android pads to control lighting and other room functions.
Being of a technical mien, he borrowed a couple of USB Ethernet adapters and set up a transparent bridge between the tablet and the wall so that his laptop could analyse the traffic between the two.
Using popular protocol analyzer Wireshark he discovered that the tablet was running the Modbus control protocols, which don't use authentication controls, and after finding the IP address the tablet was using, Garrett was able to control his room's controls.
"Then I noticed something. My room number is 714. The IP address I was communicating with was 172.16.207.14. They wouldn't, would they? I mean yes obviously they would," he wrote in a blog post.
"It's basically as bad as it could be – once I'd figured out the gateway, I could access the control systems on every floor and query other rooms to figure out whether the lights were on or not, which strongly implies that I could control them as well."
It might seem that this isn't too serious. Jokers could wake people up by turning their lights on and off in the middle of the night perhaps, but a thief could also get an idea of whether a room was occupied by checking the status of its room controls.
This isn't the first time something like this has come up. In a 2014 presentation at Black Hat, researcher Jesus Molina, a former chair of the Trusted Computing Group, found he could do the same thing to all the rooms in the St Regis hotel in the Chinese city of Shenzhen.
In both cases, neither researcher tried to get into other systems on the hotel network, such as billing or reservations, but given the lamentable state of the control system it's not outside the realm of possibility that some serious damage could be done.
Hotel hacking is something that's coming under increasing scrutiny by researchers and some hotel groups. Back in 2012, another Black Hat presentation showed how easy it was to reprogram electronic door keys in hotels. One hotelier then sued the manufacturer of the keys, claiming his guests had been robbed using the technique. ®