How a Security Researcher Took Over a Hotel's IoT Devices (zdnet.com) 36
"The moment you network IoT and hand over control to third parties, you may also give individuals the keys to a digital kingdom — and the ability to cause mischief, or worse," writes ZDNet.
For example, at a hotel where guests control the devices in their room with an iPod Touch... Speaking at Black Hat USA, Las Vegas, security consultant Kya Supa from LEXFO explained how a chain of security weaknesses were combined and exploited to gain control of rooms at a capsule hotel, a budget-friendly type of hotel offering extremely small — and, therefore, cozy — spaces to guests, who are stacked side-by-side... A neighbor, "Bob," kept waking Supa up by making loud phone calls in the early hours of the morning. While Bob had agreed to keep it down, he did not keep his promise — and the researcher set to work since he needed his sleep, especially during his vacation. The first thing Supa did was to explore his room, finding an emergency light installed for safety reasons; a Nasnos automaton center for use in controlling products in case the iPod Touch was lost; an electric motor used to manage the incline of the capsule's bed; and a Nasnos router, hidden in the wall.
If you connected to the router via a smartphone, it was then possible to control other devices on the network, and this was the setup the hotel chose to use... Supa found that two networks were connected — the hotel Wi-Fi and the router. To retrieve the router key, Supa targeted WEP, a protocol that has been known to be weak for years. Access points, each being one of the bedrooms, were found. Supa inspected the traffic and found weak credentials in place — "123" — and you can guess the rest...
By using an Android smartphone, the iPod Touch, and a laptop, the researcher created a Man-in-The-Middle (MiTM) architecture and inspected the network traffic. No encryption was found and he created a simple program to tamper with these connections, allowing the researcher to seize control of his bedroom through his laptop... Now that he could "control every bedroom," and Bob was still there, Supa then tampered with the lights of different bedrooms until he found the right one. He created a script that, every two hours, would change the bed into a sofa and turn the lights on and off. The script was launched at midnight. We can probably assume Bob did not enjoy his stay.
"I hope he will be more respectful in the future," Supa commented.
For example, at a hotel where guests control the devices in their room with an iPod Touch... Speaking at Black Hat USA, Las Vegas, security consultant Kya Supa from LEXFO explained how a chain of security weaknesses were combined and exploited to gain control of rooms at a capsule hotel, a budget-friendly type of hotel offering extremely small — and, therefore, cozy — spaces to guests, who are stacked side-by-side... A neighbor, "Bob," kept waking Supa up by making loud phone calls in the early hours of the morning. While Bob had agreed to keep it down, he did not keep his promise — and the researcher set to work since he needed his sleep, especially during his vacation. The first thing Supa did was to explore his room, finding an emergency light installed for safety reasons; a Nasnos automaton center for use in controlling products in case the iPod Touch was lost; an electric motor used to manage the incline of the capsule's bed; and a Nasnos router, hidden in the wall.
If you connected to the router via a smartphone, it was then possible to control other devices on the network, and this was the setup the hotel chose to use... Supa found that two networks were connected — the hotel Wi-Fi and the router. To retrieve the router key, Supa targeted WEP, a protocol that has been known to be weak for years. Access points, each being one of the bedrooms, were found. Supa inspected the traffic and found weak credentials in place — "123" — and you can guess the rest...
By using an Android smartphone, the iPod Touch, and a laptop, the researcher created a Man-in-The-Middle (MiTM) architecture and inspected the network traffic. No encryption was found and he created a simple program to tamper with these connections, allowing the researcher to seize control of his bedroom through his laptop... Now that he could "control every bedroom," and Bob was still there, Supa then tampered with the lights of different bedrooms until he found the right one. He created a script that, every two hours, would change the bed into a sofa and turn the lights on and off. The script was launched at midnight. We can probably assume Bob did not enjoy his stay.
"I hope he will be more respectful in the future," Supa commented.
Life's lessons. (Score:5, Funny)
"I hope he will be more respectful in the future," Supa commented.
Lesson:
Ancient Times: Don't piss off the muscular guy.
Modern times: Don't piss off the geek.
Re:Life's lessons. (Score:5, Informative)
Note: what he did is illegal, even if the network is insecure. If he pisses off the wrong people, even bigger muscular guys will come take him to jail.
Re: (Score:2)
Re: (Score:2)
"I hope he will be more respectful in the future," Supa commented.
That requires him making the mental link between his making noise and his bed acting up.
Doubtful at best.
Re: (Score:1)
Nope, Supa is just a fuckwit.
Cool hack though.
Re: (Score:3)
At DEFCON, having a microchip in the vaccine is considered a bonus. I seriously wish I could get chips that small. If anyone has a bundle deal, I'll pay a premium to buy them in bulk.
Re:What the fuck? (Score:4, Funny)
Remember that "empty box" you received about a month ago? There was about five million nano-chips in that box. Too bad you threw it away!
Re: (Score:2)
Also remember to get Ponch and Jon's autographs when they install the CHiP.
Re: (Score:3)
How is this appropriate? You can make any phone calls you want at any time from your own room.
I guess we just found the American.
PS: Did you even see the part where it says "at a capsule hotel, a budget-friendly type of hotel offering extremely small — and, therefore, cozy — spaces to guests, who are stacked side-by-side.."?
Re: (Score:2)
How is it appropriate to be so loud on the phone that the person in the next room can't sleep?
So a guy goes to a conference ... (Score:4, Insightful)
And announces to the world that he is a major dick.
Oh and BTW insecure networks are still insecure. IoT doesn't change this, although it does lower the barrier to entry.
Re: (Score:2)
WEP, no encryption, "123" password... Possibly every wrong decision that could make this network insecure was made. And the funny thing is that this is your average IoT target audience's behavior, so I expect to hear a lot more fun stories like these as times go on.
Re: (Score:2)
Who is still carrying around an iPod touch?
Re:So a guy goes to a conference ... (Score:4, Interesting)
There's a reason the FBI sends officers to watch people at BlackHat.
Re: (Score:2)
Irene has really bad marketing research if they think people there want to buy flowers.
Re: (Score:2)
How else is he supposed to attract the females soldiers?
Re: (Score:2)
So a guy goes to a conference and announces to the world that he is a major dick.
You think this guy is a major dick? Avoid BlackHat conferences because if you go then you're going to have a bad time.
Re: (Score:2)
And announces to the world that he is a major dick.
No, he only announced that he is a major dick back.
Wasn't it Jesus who said "treat thy neighbour" or something like that? Bob clearly wanted to be treated like that, so it would be a dick move not to mess with him.
Another fine result of A+ training or low bidders (Score:3)
Your IOT network should be separated from you cheesy, non-secured local Internet access.
If you need to access your IOT network, it should be by authenticated network access.
Re: (Score:2)
Your IOT network should be separated from you cheesy, non-secured local Internet access.
If you need to access your IOT network, it should be by authenticated network access.
Did you setup this network? I mean it was a separate network and it was authenticated if you read TFS. The fact that the authentication had more holes than a colander is not withstanding, but so far it would appear they followed all your advice.
What a poor "security researcher" he must be... (Score:2)
Uh huh (Score:2, Troll)
A neighbor, "Bob," kept waking Supa up by making loud phone calls in the early hours of the morning. While Bob had agreed to keep it down, he did not keep his promise — and the researcher set to work since he needed his sleep, especially during his vacation. ... [and screw with Bob's room]
Let me get this straight, Bob kept waking him up so, because he needed his sleep, Supa stayed awake hacking the hotel to harass Bob.
"I hope he will be more respectful in the future," Supa commented.
It's not your job to teach Bob a lesson. In the future, complain to the management and (a) have them keep Bob in line or (b) ask that you (or Bob) be moved to another room. You might even get a refund, discount or other compensation.
In the end, you *both* broke the social contract.
Re: (Score:2)
Re: (Score:2)
Supa stayed awake hacking the hotel to harass Bob.
Thanks to Bob, not staying awake wasn't an option at that point, so might as well hack...
"hotel has since improved its security posture" (Score:2)
Instead of posturing, they should implement some real security.
Bad security is rampant (Score:2)
Although I didn't actually appear to have any actual access, just today, I somehow logged in as a Web Admin while trying to reset my password on a relatively new company's website who just started rolling out their service to my town.
I shouldn't say who it is, but suffice it to say I saw a little scooter parked in my neighborhood and wanted to take it for a "spin". I was intrigued. I wondered how to use it. Of course I have to download the app.
I'm skeptical of such things, but I really wanted to try it f
I wept for this capsule hotel (Score:2)