

Hacking Hotels 101 224
romka1 writes "Wired has an interesting interview with Adam Laurie, chief security officer of the London security and networking firm ALD. Laurie was able, using laptop, tv tuner and an infrared port to access premium content, billing information of all the rooms in the hotel, watch how other guests access their emails and access desktop of a backend computer clicking icons on the desktop and launching applications."
ya (Score:4, Interesting)
"password"
"(name of hotel)"
etc.
Re:ya (Score:1)
Re:ya (Score:3, Informative)
Re:ya (Score:3, Funny)
*rubs nipple*
Wouldn't you just love to get one of those Hiltons baby...
Re:ya (Score:3, Insightful)
That's the difference
Re:ya (Score:2)
She's already told Jimmie Fallon that:
Fallon: "I'm a celebrity, I might have to come in through the back door."
Paris: "I don't care who you are, it's not happening."
Re:ya (Score:2, Informative)
Passwords? (Score:2)
Yes, Virginia, there really are some dum'ns in the world.
Re:ya (Score:1)
Re:ya (Score:2, Interesting)
Rome was more reasonably priced (and only a one time purchase for my entire stay) but they had a nasty habit of shutting down my connection when I was Idle. That meant that at the end of every long Gmail I typed, I would have to reset m
Re:ya (Score:2)
Uhm, Alta Vista is still around? Didn't know that.
This is why you SAY "Do a Google"...
Re:ya (Score:5, Informative)
Re:ya (Score:3, Interesting)
I'll post my comment from Fark below:
This isn't that new, as I heard a presentation on it at Schmoo Con in DC earlier this year. The blurb about the presentation reproduced below from this page. [shmoocon.org]
"Old Skewl Hacking: Infra Red - MMIrDA (Major Malfunction's Infra Red Discovery Application)" Major Malfunction
Major Malfunction spends a lot of time travelling. Consequently he sp
Re:ya (Score:2)
Re:ya (Score:2)
Actually, they are getting there already... in Virginia we have the Dulles Toll Road, which has two sets of lanes, one on the outside for normal traffic (which has to pay the toll) and another set on the inside for airport traffic (which is free). Well, they have a few spots where
Re:ya (Score:2)
http://groups.google.com/group/alt.2600/browse_fr
Why? (Score:5, Insightful)
Re:Why? (Score:1)
When you have permission, it's okay.
Re:Why? (Score:2, Insightful)
Re:Why? (Score:2)
1. The data is broadcast over the air in the clear.
2. The data is broadcast into their computer with the assumption (that neither t
Re:Why? (Score:4, Insightful)
Re:Why? (Score:2)
Because, (Score:1, Insightful)
Re:Why? (Score:2, Insightful)
It all boils down to getting away with what you can because you inherently have more power. There is no inherent "morality" involved in any given legal system or government. Anyone over the age of 7 should be able to recognise this on a daily basis.
Besides, it's important to have a fake set of rules for individulas to follow and conform to... otherwise we'd all be living in a perminent state of chaos. Just imagin
Re:Why? (Score:2)
Actually, no, because humans are primates and this is how primates work. Well, actually, yes, maybe they do - they're just trained not to admit it.
Remember, 55 million people elected Bush - and if they hadn't, they would have elected Kerry.
As we anarchists say, "No matter who you vote for, the government gets into office."
I don't know if your last sentence was meant as a joke, but it was funny, since millions of gun owners couldn't
For the same reasons... (Score:2)
You've got the life experience and wisdom of a child, because you are one. I know it sucks when people tell you that, but it's true, and you won't realize it's true until you're in your 30s.
Re:For the same reasons... (Score:2)
Wow, concise, interesting, but stupid. I'm in my 30s now, but I was better equipped to be out on my own (other than the age descrimination of other people, especially someone like you) at age 12 than most people will be their entire lives. I'd give some details, but I'm sure you wouldn't change your mind anyway. But
Re:For the same reasons... (Score:2)
There is however certain ages were a child become as responcible as an adault. This means that wether or not they are capable of making the proper decisions that society thinks they should be able to make, they are goign to be held acountable in the same way an adault is.
Why are these ages artificialy set you might ask? because society has observed the majority of past juvenilles and decided that most of them are capab
Oh, I see how it is (Score:5, Funny)
Re:Oh, I see how it is (Score:2)
Its to their advantage that its INSECURE so they can spy on any one.
I wouldnt be supprised if every tv had a tiny camera built in too, at least in modern hotels that is.
Obviously any techy in the know will not talk about this because he is being paid nice 6digits.
OFF TOPIC: /. Poll Locked (Score:4, Insightful)
Well where else can you put a comment about comments being blocked?
Anyone explain why the # DVD's ripped poll has been locked?
Anyway,
-H.
Re:OFF TOPIC: /. Poll Locked (Score:2)
My theory... (Score:3, Interesting)
It would had been nice if
Re:My theory... (Score:2)
Re:My theory... (Score:2)
Re:My theory... (Score:2)
Re:My theory... DVD ripping (for backup purposes!) (Score:3, Informative)
Hardware: NEC 3520A dual-layer burner. It has all kinds of great firmware hacks available that make it region free, enable bit-setting (allows your DVD+R media to self-identify as DVD-ROM so it plays on more DVD players), and disables Rip-Lock so you can copy the data off more quickly (rip-lock limits it to about 2 x speed when copying a DVD-ROM)
Software:
DVDShrink - it
Re:My theory... DVD ripping (for backup purposes!) (Score:2)
I was very sad that it took more than 30 minutes to burn a DVD. Once I finally found out that I should be using DMA and that I wasn't, I fixed it. Now it burns in less than 6 minutes. I also found my CD burner burns much faster with DMA enabled.
Re:OFF TOPIC: /. Poll Locked (Score:2)
since i thought /. was anti censorship,and yet every 10 seconds or so if i refresh the page, its back to 0 or 1 comments even with people posting more.
Re:OFF TOPIC: /. Poll Locked (Score:2, Funny)
Re:OFF TOPIC: /. Poll Locked (Score:2)
Re:OFF TOPIC: /. Poll Locked (Score:2)
Inspiration... (Score:5, Funny)
Re:Inspiration... (Score:3, Informative)
http://www.shmoocon.org/2005/program.html#major [shmoocon.org]
Re:Inspiration... (Score:2)
premium content? (Score:2)
Re:premium content? (Score:3, Informative)
Read a little further down...
Premium channels are generally movie/porn/sports channels.
When you are at dinner or in a
Re:premium content? (Score:2)
As in premium channels... things you pay extra (a premium) for. That stupid soft core porn is a premium, as well as pay per view movies and such. Once thing nice about cell phones is you don't have to worry about the premium phone service in those premium hotels that costs an arm and a leg just to make a local call, chances are the mobile is cheaper.
The problem with getting the premium service for free is the fact that people feel that they are being robbed blind by freel
Mobile phone vs. Hotel phone (Score:2)
Every hotel I've been at (including "premium" ones) have free local calls.
However, the fact I am staying at this hotel means I am far from home, making all my cell phone calls roaming calls, and calls to anywhere local (relative to the hotel) long-distance (as far as the cell phone company is concerned) on
Re:Mobile phone vs. Hotel phone (Score:2)
I get 600 daytime minutes, as well as free nights and weekends. Within that time, I can call anywhere in the US or Canada from anywhere that I can get a signal with no extra charges. Every plan I've had for the past few years has been like this. Roaming is something I haven't dealt with since the analog phone days.
Re:Mobile phone vs. Hotel phone (Score:2)
The last hotel I stayed in that one might consider premium was a two room suite holiday inn... utah when they had the hurricane, or rather the night before. I think it was a holiday in... apparently there was a convention in town and it was the only room. Anyhow the phonecall to the airport, local call I might add was $1.25, which is annoying the fact that the room was pretty upscale on the price yet everything in there including th
Wild guess here... (Score:2)
Perhaps the problem is the premium content was not being offered for free in this case? But was available at a "reduced price", which the individual did not pay?
Security through obscurity (Score:5, Informative)
I think it is important to blame the vendors as well as the hotels. Two days ago I got a sales presentation of a document management system called "DocStar". The sales weasel kept going on and on about security, repeating himself with how it has security "at the level of individual pixels". But whenever I tried to pin him down about how that system is actually secure, he had nothing. As near as I can tell, their whole pitch is "It's secure because we say it is". Right. I'm supposed to take his word for it, when vendors demonstrate over and over, with cases like this, that their security usually amounts to "We hope nobody will ever try to break in".
Gag.
Re:Security through obscurity (Score:2)
However, a sales guy knowing the technical details of a product is as unlikely as being allowed to *talk* to a developer at their company to explain their security mechanisms in the first place.
Sad state of affairs, really. Programming is all about abtraction; I wish people understood that when a programmer uses abstraction to centralize logic such as security, we'd all be better off if we could abtract across companies.
Dont you mean "Security through apathy" (Score:2)
I think, generally speaking... no one gives enough of a shit to even bother hacking a hotel broadcast network. And the minority that do... the very small minority are for the most part paying upwards of $50/night just
Secure today, hacked tomorrow (Score:2)
If that's all it is, I'd tend to agree with you. But I've seen descriptions of seeing what other people's terminals (TVs) are doing, including billing information and supposedly "private" Internet sessions. The idea of skimming credit card info or private business dealings off of this isn't inconceivable. As a potential guest at a hotel, I'm a lot more worried then I would be about the hotel ownership's potential loss of profit.
"T
Re:Secure today, hacked tomorrow (Score:2)
Yes, I get blasted at times for using telnet on a house network to linux box and
Re:Security through obscurity (Score:2)
Re:Security through obscurity (Score:2)
They expect some lame blocker to be a silver bullet solution. Unfortunately they almost always make the mistake of either never updating or using some little lame piece of software that doesn't actually do much. Not all security solutions are equal, yet no one can really understand that unless they're technically inclined.
Re:Security through obscurity (Score:2)
DocStar security (Score:2)
I assumed right from the get-go that they calculate a hash of the scanned document image to validate integrity and authenticity. The thing that concerns me is, what protects those hashes? Are they just stored on the same disk (or RAID) that the scanned document images themselves are? If so, what keeps the hashes from being modified along with the original cleartext? Is there
My own experience (Score:5, Informative)
What I saw scared the heck out of me. SQL queries from the hotel reservation system, including things like the results of "SELECT * FROM RESERVATIONS" and "INSERT INTO ROOMS
Not only was it all unencrypted, but they were broadcasting all that information to every ethernet port in every room. You can just imagine the potential for identity theft and burgalary networks ("he'll be gone til tuesday!"). And I wouldn't be surprised if you could actually just send out your own SQL queries if you wanted to ("I'll be staying for another week, honest!").
Re:My own experience (Score:2, Insightful)
Re:My own experience (Score:5, Funny)
Even if the network is switched, one could just use a simple ARP poisoning tool such as ettercap [sf.net] to poison the MAC address table and make the switch go into "hub mode".
Recently, I was at a Super 8 Motel in Addison, TX for business. I had alot of free time at the motel, so I got in my laptop and used the wireless. The connection was painfully slow, 3000-8000ms pings to everywhere. I fired up ettercap (ARP poisoning isn't nessecary on wireless, but ettercap is still a cool sniffing tool regardless) and saw that some bonehead was saturating the T1 with Gnutella downloads of pornographic pictures.
I could care less that he is looking at porn, but he was hogging all the bandwidth. I solved the problem by "stealing" his IP address and generating some traffic to keep the the ARP table of the motel's router associating the "stolen" IP address with my MAC so that he could not use the internet.
Re:My own experience (Score:2)
Any high quality switch wouldn't do that. It would just shut off th two offending ports and be done with it.
Re: (Score:2)
Re:My own experience (Score:2)
Re:My own experience (Score:2)
Most Hotel TV are locked though right? (Score:3, Interesting)
Still, this makes me want to pick up a USB tv tuner for next time I travel.
"Additionally, he could use hidden codes that transmitted from the remote-control device to the TV through infrared to control functions in the system...Laurie automated the process by using a program he wrote that analyzed and mapped all the possible codes in 35 minutes to see which ones were relevant for the system he was trying to crack. Laurie doesn't plan to release the program."
Booooo, release the code!
Re:Most Hotel TV are locked though right? (Score:2)
What a wimp. Information wants to be FREEEEEE! :)
Re:Most Hotel TV are locked though right? (Score:2)
Re:Most Hotel TV are locked though right? (Score:2)
The ones I've seen aren't locked, but have a plastic cylinder around the F connector that keeps you from unscrewing it. However, all you need is a security wrench [icmcorp.net]. They're also handy if the hotel TV doesn't have AV inputs, and you want to hook up your VCR or DVD player to it via a RF modulator.
Which hotels? (Score:2)
Holiday Inn for one...Re:Which hotels? (Score:2)
Re:Holiday Inn for one...Re:Which hotels? (Score:2)
Could that be right? (Score:2, Interesting)
Re:Could that be right? (Score:2)
For example, most hotels will allow you to use the TV remote to review your charges, extend your checkout time, checkout, order food, etc. The TV is communicating with a hotel computer somewhere to facilitate that. The computer generates a video channel specifically for that room.
There is also sometimes an alarm signal on the wire to detect if someone disconnects the TV to hook up a DVD player or game (they want your to rent TH
Re:Could that be right? (Score:2)
Some other (more useful) comments. (Score:5, Interesting)
This is because in the interests of usability, these systems do not use WEP. In the case of the university, their security consists of not honoring DHCP requests if the system doesn't know your MAC, and hiding the ESSID. Again, no WEP. I have sat in conferences and watched people checking their email. (That's also good for, how shall we say, 'social intelligence.')
The bottom line is, and always will be, that people need to pay attention to how the technology they use works. If they don't know, then it is to a certain extent their own problem.
To combat this, all my wireless systems, including the ones I use at home, use a VPN to connect to my home router, and then the traffic goes out from there. The VPN uses a cryptographic key for authentication, not a password, and all traffic except for DHCP requests go over it. The best someone can really accomplish at the network level is to bump me off the network, at which point the VPN falls over too, and no data is compromised. The system at home also uses WEP, and requires that all machines connecting over wireless use a VPN to get routed from the router to, well, anywhere, even the LAN.
"But what about after the data leaves your cable modem at home?" That's a valid concern. So any data that I'm really concerned about is encrypted going out of there too. The catch is that, of course, I can't do that all the time, and it could still give someone a lot of intelligence by monitoring the traffic. At that point, though, I have a legitimate beef with the cable company, just as users who plug their computer into a hotel ethernet port (not wireless) have a beef with the hotel if someone in the adjacent room sniffs their traffic.
The sad reality is that most people have absolutely no data security at all. Often times, they give themselves the illusion of security by doing something like using some snake-oil crypto product on their Windows machine, which is still clearly open to a number of software-based attacks. And, of course, if you compromise the hardware, nothing is going to save your ass.
Sitting at home, I see six wireless networks. One of them is mine. Four of them don't have any indication of whose they are, so they get a bit of security through obscurity in terms of someone trying to attack them directly. Nevertheless, three of the four are insecure, and the fourth uses only WEP. Of those three unsecured networks, they're broadcasting all sorts of crap in the clear, and two of the three are ridden with spyware and viruses to the point that I can tell remotely using only passive means.
The last guy got interesting. He removed the confusion about whose network was whose, at least with regard to his, by putting his last name in the SSID. The network is wide open.
Not really news if they don't name the hotels (Score:2, Informative)
This is old news within the hospitality industry (Score:5, Informative)
Over the years, I've learned a lot more. Basically, the world of hotel entertainment is run by two companies, LodgeNet and OnCommand. Both use almost identical technology. The way it basically works if hotels buy commercial television sets that have a port on the back to control the tuner. An RF interface plugs into this port and allows signals to be sent over the coaxial cable to a server and receive signals from the server.
Let me explain how it works. The hotel puts all the regular television (called free-to-guest in the lingo) on a certain range of channels. The commercial set is then programmed to only allow tuning from the remote in that range. If the guest tried to go higher than say 30, it wraps back to say 2. Entering number from the remote higher than the range won't work either.
Now the remote has some special buttons. Let's say a guest hits the main menu button. The IR receiver on the commercial TV passes the signal to the RF unit, which sends it over the coax to the server. The server starts up up a video stream and outputs it through a video card to a modulator. The server tells the commercial TV "tune to channel 43". Since the guest can't normally tune to this channel, they only way he sees it is when the server tells his TV to tune there. The guest can now interact with the server and only he sees what he is doing because he's the only one the server lets turn to channel 43.
For hotel info, movies, this is how the guest gets the content. If it's a web browser session, it's the same thing only using essentially a terminal server session.
Now, the problem is there's only about a handful of commercial TV sets made. It's not terribly difficult to obtain or borrow a master remote from someone. You can copy the button commands into your PDA or universal remote, then next time you are at a hotel with that brand of television, just tune around until you find something interesting to watch. Or, bring your own tuner like the guy with the VCR or the article talks about.
Some ways hotels are dealing with this is locking off the connection so you can't just plug in a tuner. You can cut the cable, but I wouldn't recommend it if you don't want to be charged for the repair. But the master remotes are still out there and still universally known.
Smaller or older hotels that have regular televisions use a little IR dongle to control the television instead of card that plugs in the back, but it's the same principle.
I've always wondered why warez groups don't pick up on this as a way to get first-run movies. The hospitality window is about two months after a movie hits theaters (just after home pay-per-view but before DVD). The source is either DVD or digitial files downloaded directly to the server, so the quality should be excellent. Just bring an firewire capture card with your laptop and you can release "screener" quality with virtually no risk.
Not that I would ever do something like that of course...just saying...
- JoeShmoe
Re:This is old news within the hospitality industr (Score:2, Informative)
Also seach ebay for 'coax removal tool' if you need to get around those pesky security sleeves.
One interesting tidbit about my 8511 converter box. At first it did not work with any remote control. I took it apart and found a small jumper wire running from the input pin of the IR decoder
Re:This is old news within the hospitality industr (Score:2, Informative)
Re:This is old news within the hospitality industr (Score:2)
I think you answered yourself there, good warez groups tend to release stuff before it even gets to theatres, not two months after.
Your firewire-capture method would create telesync rip, there's risk of going out of sync and possible glitches in video or sound caused by disturbances in other rooms nearby(old electric razors, hairdryers
Re:This is old news within the hospitality industr (Score:2)
IF you mean TC telecine, that's defines as a recording from the film, either using a telecine (some kind of rear-projection thing that you can put a camcorder in front of to get a consistant image) or using the vi
Re:This is old news within the hospitality industr (Score:2)
If asked just say "i'm hooking in a camcorder, i'm on vacation and i'm making a home movie". Works perfectly well for me when i'm on vacation and making a home movie.
Re:This is old news within the hospitality industr (Score:2)
Actually, it's easier if you just use a small allen key or two and spin the protective cable guard. Also easier to travel (fly) with.
Re:This is old news within the hospitality industr (Score:2)
I think the N64 deal finally expires this year, and I fully expect LodgeNet to make the same mistake and sign up for GameCube for the ne
He's not the only one (Score:2)
I really had no interest in watching people read their email or check out, but it was entertaining to see which pay-per-view porn movies were the most popular among my fellow travellers.
I've setup a 120 room hotel (Score:2, Interesting)
At the moment, we have a pretty crumby system - a d-link router - yes I know why this is bad, but we're changing that (we knew about this to begin with)
My question to the slashdot crowd is, what can you think of that we can do to stop a guest from running their own DHCP server? (screwing the network)
Re:I've setup a 120 room hotel (Score:2)
Re:I've setup a 120 room hotel (Score:2)
Re:I've setup a 120 room hotel (Score:2)
Hotels with free internet rule (Score:3, Informative)
I found some laptop (I assume) with IIS running on it, and some ugly website for a home siding and windowing company on it, I read it, wasn't interested.. But still, it seems that some people don't realize they're entering a fairly high speed and insecure network when plugging into most hotel setups.
been there, done that (Score:2)
I think this is his presentation at various CONs (Score:2)
You people suck... (Score:2)
Article leaves out some details (Score:2, Interesting)
Although most hotels lock the F-connector on the outside of the wall jack, remove the two screws for the wall jack and you can access the F-connector on the inside. I don't know if the systems are checking for missing TVs yet, but as a precaution a decent splitter should be used so the TV doesn't go missing when you connect your laptop. Someday they will wise-up and check. Then an engineer will not on your door to see if ther
I'm always skeptical... (Score:2)
Laurie is known as Major Malfunction in the hacker community. He also revealed how infrared used for garage door openers and car-door locks could be hacked, using simple brute force programming techniques to decipher the code that opens the doors. [emphasis mine]
Now, I'm not a remote entry expert, by any stretch, but I've never even heard of infrared keyless entry or garage door transmitters. Always RF.
When the article commits such a glaring erro
Re:"screenshots" of internet access being *BROADCA (Score:3, Insightful)
the broadcast TV UHF range, albiet with different frequencies), which can be picked up with a cheap $15 B&W portable TV with a slide tuner.
Are they really too cheap to just use a regular network and WEB-TV-like units in the rooms?
Hmmm... those cable channels fall into the high VHF range. There are some channels used between 6 and 7 , but I can't remember off the top of my head. I.e. ca