Saturday, July 30, 2005

Hacking in-room hotel systems

In many hotels these days, you can use the room's television to check your bill, check your e-mail and check out of your room. Will miracles never cease? I, for one, never gave any thought to how secure these systems are. That's pretty naive.

If it moves, whirs, clicks, plugs in or connects anything to anything else, someone will try to figure out how it works and what mischief can be accomplished with it. Wired news has interviewed a hacker who, in a fit of boredom and a desire to watch pay movies for free, has figured out the system. What he has found is more than a bit troubling:

Wired News: A Hacker Games the Hotel

"... But one of the most serious vulnerabilities he found was in the billing system. Hotel guests can use their TV to check their account balance. The bill is tied to the room number, which in turn has a unique address that's assigned to the TV.

Laurie could view the bills of other guests and see their room numbers simply by going to a menu that displayed the address of the TV in his room and changing a number in the address to make the TV think it was in a different room.

"If I change that address -- it was A161 and I've now changed it to A162 -- I'm now looking at the bill of the guy next door," he said.

If he wanted to know the names and room numbers of all the guests in a hotel, he could automate the process by writing a simple script to call up sequential TV addresses, then set a video camera on a tripod in front of the TV to capture the bills as they came up.

"That tells me who's in there, who's sharing (the room) with who and what they've been doing," he said. This sort of hack would be useful to any number of people, including paparazzi stalking celebrities and private detectives hired by spouses.

"Why would they connect (the TV) to a billing system?" Laurie asked. "Because they don't think. As far as the hotel is concerned, you're the only person who can see (your bill). But they're sending you confidential data over the air through a broadcast system. It's the equivalent of running an open wireless access point. If I tune my TV to your channel, then I get to see what you're doing."

Laurie could view certain activities of other guests by tuning to other channels or by scanning through all possible channels in the system. That's because when a guest purchases premium content or TV internet access, the hotel system assigns a channel to the guest's room through which to deliver the service. All Laurie had to do was surf the channels.

He produced a slide of his TV screen showing another hotel guest sifting through business proposals in his e-mail.

"He's happily typing away in his room thinking he's privately viewing his e-mail," Laurie said. "But I could be anywhere else in the building watching what's going on (from) the TV. If I was a business rival staying in the same hotel at a conference, I could do a little corporate espionage. I see the (bid) proposal he's putting in and I could go in and put one in that's 10 bucks cheaper." ..."

No comments: