Remember, When You Wire Up Your Hotel With A Fancy Interface, Make Sure It's Protected

Image credit: Shuttershock / Atiketta Sangasaeng
Image credit: Shuttershock / Atiketta Sangasaeng

Matthew Garrett is a Security Developer for CoreOS, and noticed something interesting about the hotel he was staying in. They had installed tablets in the rooms to control the lights, temperature and shades. He also found that they weren’t protected.

Advertisement

Hotels are increasingly turning to gadgets for the convenience of their guests: you can check in with an app on your phone, and even control various parts of the room from a computer or tablet. That’s what Garrett discovered, and that there were some problems with the rush to technologically enhance your traditional hotel room.

Not only was there no security protocols on the tablet in his room, but he found that security in the hotel was so lax that he could easily figure out the IP addresses other guests rooms, and could have taken control of the lights, shades and temperature of every single room that had also been wired up.

Modbus is a pretty trivial protocol, and notably has no authentication whatsoever. tcpdump showed that traffic was being sent to 172.16.207.14, and pymodbus let me start controlling my lights, turning the TV on and off and even making my curtains open and close. What fun!

And then I noticed something. My room number is 714. The IP address I was communicating with was 172.16.207.14. They wouldn’t, would they?

I mean yes obviously they would.

It’s basically as bad as it could be - once I’d figured out the gateway, I could access the control systems on every floor and query other rooms to figure out whether the lights were on or not, which strongly implies that I could control them as well.

Advertisement

He didn’t actually do that, but he noted that he let the hotel know, and reported that they promised to do something about the issue.

The sad thing is, this isn’t a surprising issue at all: as technology becomes easier and less expensive to purchase and install, there’s a considerable lapse in understanding at just how these systems work and how to secure them.

[Matthew Garrett]


Contact the author at andrew.liptak@io9.com.

Advertisement

Share This Story

Get our newsletter

DISCUSSION

Hotels are increasingly turning to gadgets
I know they are - but I’m unsure *why*
I know I’ve certainly never booked a hotel based on having a tablet in my room - occasionally I’ve found one, and it’s fun to play with, but entirely pointless.
If they’re needed, by all means secure them, but can’t help but feel they’re the output of some tool in marketing. Fire him, and give me a switch for my bed-side-light, by my bed.
If you really want something to techy to attract patrons, fast wifi without pissy sign-ons would be all I’d want (and maybe an accessible HDMI imput or a Chromecast on the TV)