Matthew Garrett is a Security Developer for CoreOS, and noticed something interesting about the hotel he was staying in. They had installed tablets in the rooms to control the lights, temperature and shades. He also found that they weren’t protected.
Hotels are increasingly turning to gadgets for the convenience of their guests: you can check in with an app on your phone, and even control various parts of the room from a computer or tablet. That’s what Garrett discovered, and that there were some problems with the rush to technologically enhance your traditional hotel room.
Not only was there no security protocols on the tablet in his room, but he found that security in the hotel was so lax that he could easily figure out the IP addresses other guests rooms, and could have taken control of the lights, shades and temperature of every single room that had also been wired up.
Modbus is a pretty trivial protocol, and notably has no authentication whatsoever. tcpdump showed that traffic was being sent to 172.16.207.14, and pymodbus let me start controlling my lights, turning the TV on and off and even making my curtains open and close. What fun!
And then I noticed something. My room number is 714. The IP address I was communicating with was 172.16.207.14. They wouldn’t, would they?
I mean yes obviously they would.
It’s basically as bad as it could be - once I’d figured out the gateway, I could access the control systems on every floor and query other rooms to figure out whether the lights were on or not, which strongly implies that I could control them as well.
He didn’t actually do that, but he noted that he let the hotel know, and reported that they promised to do something about the issue.
The sad thing is, this isn’t a surprising issue at all: as technology becomes easier and less expensive to purchase and install, there’s a considerable lapse in understanding at just how these systems work and how to secure them.