Hotel light control hack illuminates lamentable state of IoT security

FSF board member with time on his hands highlights hole


An attendee at the KubeCon Kubernetes conference in London has exposed a serious lack of network security in the hotel where he was staying.

Matthew Garrett, a security researcher for CoreOS and a board member of the Free Software Foundation, was in his hotel when he noticed the establishment had replaced the light switches with little Android pads to control lighting and other room functions.

Being of a technical mien, he borrowed a couple of USB Ethernet adapters and set up a transparent bridge between the tablet and the wall so that his laptop could analyse the traffic between the two.

Using popular protocol analyzer Wireshark he discovered that the tablet was running the Modbus control protocols, which don't use authentication controls, and after finding the IP address the tablet was using, Garrett was able to control his room's controls.

"Then I noticed something. My room number is 714. The IP address I was communicating with was 172.16.207.14. They wouldn't, would they? I mean yes obviously they would," he wrote in a blog post.

"It's basically as bad as it could be – once I'd figured out the gateway, I could access the control systems on every floor and query other rooms to figure out whether the lights were on or not, which strongly implies that I could control them as well."

It might seem that this isn't too serious. Jokers could wake people up by turning their lights on and off in the middle of the night perhaps, but a thief could also get an idea of whether a room was occupied by checking the status of its room controls.

This isn't the first time something like this has come up. In a 2014 presentation at Black Hat, researcher Jesus Molina, a former chair of the Trusted Computing Group, found he could do the same thing to all the rooms in the St Regis hotel in the Chinese city of Shenzhen.

In both cases, neither researcher tried to get into other systems on the hotel network, such as billing or reservations, but given the lamentable state of the control system it's not outside the realm of possibility that some serious damage could be done.

Hotel hacking is something that's coming under increasing scrutiny by researchers and some hotel groups. Back in 2012, another Black Hat presentation showed how easy it was to reprogram electronic door keys in hotels. One hotelier then sued the manufacturer of the keys, claiming his guests had been robbed using the technique. ®

Similar topics


Other stories you might like

  • Software Freedom Conservancy sues TV maker Vizio for GPL infringement

    Companies using GPL software should meet their obligations, lawsuit says

    The Software Freedom Conservancy (SFC), a non-profit which supports and defends free software, has taken legal action against Californian TV manufacturer Vizio Inc, claiming "repeated failures to fulfill even the basic requirements of the General Public License (GPL)."

    Member projects of the SFC include the Debian Copyright Aggregation Project, BusyBox, Git, GPL Compliance Project for Linux Developers, Homebrew, Mercurial, OpenWrt, phpMyAdmin, QEMU, Samba, Selenium, Wine, and many more.

    The GPL Compliance Project is described as "comprised of copyright holders in the kernel, Linux, who have contributed to Linux under its license, the GPLv2. These copyright holders have formally asked Conservancy to engage in compliance efforts for their copyrights in the Linux kernel."

    Continue reading
  • DRAM, it stacks up: SK hynix rolls out 819GB/s HBM3 tech

    Kit using the chips to appear next year at the earliest

    Korean DRAM fabber SK hynix has developed an HBM3 DRAM chip operating at 819GB/sec.

    HBM3 (High Bandwidth Memory 3) is a third generation of the HBM architecture which stacks DRAM chips one above another, connects them by vertical current-carrying holes called Through Silicon Vias (TSVs) to a base interposer board, via connecting micro-bumps, upon which is fastened a processor that accesses the data in the DRAM chip faster than it would through the traditional CPU socket interface.

    Seon-yong Cha, SK hynix's senior vice president for DRAM development, said: "Since its launch of the world's first HBM DRAM, SK hynix has succeeded in developing the industry's first HBM3 after leading the HBM2E market. We will continue our efforts to solidify our leadership in the premium memory market."

    Continue reading
  • UK's ARIA innovation body 'hasn't even begun to happen' says former research lead

    DARPA imitator not doing much after two years of Johnson government

    Updated The UK's efforts to copy US government and military innovation outfit DARPA are stalling, according to a leading figure in research and development.

    Appearing before the Science and Technology Committee, Sir John Kingman, former chair of UK Research and Innovation, told MPs this morning that ARIA – the Advanced Research and Invention Agency – was a good example of departmental research spending that could be cut, sidelined or delayed.

    "A very high-profile example would be ARIA, which has been this big plan for the Boris Johnson government, and yet here we are a few years into the Johnson government and it still hasn't even begun to happen," he told MPs.

    Continue reading

Biting the hand that feeds IT © 1998–2021