[personal profile] mjg59
I'm in London for Kubecon right now, and the hotel I'm staying at has decided that light switches are unfashionable and replaced them with a series of Android tablets.
A tablet displaying the text UK_bathroom isn't responding. Do you want to close it?
One was embedded in the wall, but the two next to the bed had convenient looking ethernet cables plugged into the wall. So.

I managed to borrow a couple of USB ethernet adapters, set up a transparent bridge (brctl addbr br0; brctl addif br0 enp0s20f0u1; brctl addif br0 enp0s20f0u2; ifconfig br0 up) and then stuck my laptop between the tablet and the wall. tcpdump -i br0 showed traffic, and wireshark revealed that it was Modbus over TCP. Modbus is a pretty trivial protocol, and notably has no authentication whatsoever. tcpdump showed that traffic was being sent to 172.16.207.14, and pymodbus let me start controlling my lights, turning the TV on and off and even making my curtains open and close. What fun!

And then I noticed something. My room number is 714. The IP address I was communicating with was 172.16.207.14. They wouldn't, would they?

I mean yes obviously they would.

It's basically as bad as it could be - once I'd figured out the gateway, I could access the control systems on every floor and query other rooms to figure out whether the lights were on or not, which strongly implies that I could control them as well. Jesus Molina talked about doing this kind of thing a couple of years ago, so it's not some kind of one-off - instead, hotels are happily deploying systems with no meaningful security, and the outcome of sending a constant stream of "Set room lights to full" and "Open curtain" commands at 3AM seems fairly predictable.

We're doomed.

(edited: this previously claimed I could only access systems on my own floor, but it turns out that each floor is a separate broadcast domain and I just needed to set a gateway to access the others)

(further edit: I'm deliberately not naming the hotel. They were receptive to my feedback and promised to do something about the issue.)

Date: 2016-03-11 02:55 pm (UTC)
From: (Anonymous)
My coworker asks whether you can control the channels. Can you set all of your neighbours' TVs to pay-per-view while they're out?

Date: 2016-03-12 03:21 am (UTC)
From: (Anonymous)
If this is the hotel I believe it is, there is no pay per view. Everything is free, even the porn.

(no subject)

From: (Anonymous) - Date: 2016-03-12 06:33 am (UTC) - Expand

(no subject)

From: (Anonymous) - Date: 2016-03-12 10:40 am (UTC) - Expand

(no subject)

From: (Anonymous) - Date: 2016-03-12 05:29 pm (UTC) - Expand

Choose your path wisely

From: (Anonymous) - Date: 2016-03-13 12:08 am (UTC) - Expand

Re: Choose your path wisely

From: (Anonymous) - Date: 2016-03-13 07:56 pm (UTC) - Expand

Re: Choose your path wisely

From: (Anonymous) - Date: 2016-03-13 08:55 pm (UTC) - Expand

Re: Choose your path wisely

From: (Anonymous) - Date: 2016-03-14 04:28 pm (UTC) - Expand

Re: Choose your path wisely

From: (Anonymous) - Date: 2016-03-16 03:54 pm (UTC) - Expand

Date: 2016-03-12 01:05 pm (UTC)
From: (Anonymous)
The ability send your own porn to everyone's screens would be even better. The people would be aghast at the shemales and excrement.

Aghast

From: (Anonymous) - Date: 2016-03-12 01:41 pm (UTC) - Expand

(no subject)

From: (Anonymous) - Date: 2016-03-13 05:17 pm (UTC) - Expand

better than Porn

From: (Anonymous) - Date: 2016-03-14 03:09 pm (UTC) - Expand

(no subject)

From: (Anonymous) - Date: 2016-03-15 09:58 pm (UTC) - Expand

So brownhat then?

From: (Anonymous) - Date: 2016-03-16 12:59 am (UTC) - Expand

Modbus?

Date: 2016-03-11 03:05 pm (UTC)
From: (Anonymous)
I worked on Modbus networking software in the 1980's at Modicon. Why would anyone use that for controlling IoT in 2016? It is baffling.

Re: Modbus?

Date: 2016-03-11 03:10 pm (UTC)
From: (Anonymous)
Maybe because their setup is a bit older than 2016 ? ;)

Re: Modbus?

From: (Anonymous) - Date: 2016-03-11 03:22 pm (UTC) - Expand

Re: Modbus?

From: (Anonymous) - Date: 2016-03-11 03:40 pm (UTC) - Expand

Re: Modbus?

From: (Anonymous) - Date: 2016-03-11 04:26 pm (UTC) - Expand

Re: Modbus?

From: (Anonymous) - Date: 2016-03-11 06:15 pm (UTC) - Expand

Re: Modbus?

From: (Anonymous) - Date: 2016-03-11 06:42 pm (UTC) - Expand

Re: Modbus?

From: (Anonymous) - Date: 2016-03-11 09:16 pm (UTC) - Expand

Re: Modbus?

From: (Anonymous) - Date: 2016-03-12 08:10 am (UTC) - Expand

Re: Modbus?

Date: 2016-03-14 10:55 am (UTC)
From: (Anonymous)
because every SnakeOilCorp. thinks that they could sell old things if they name it IoT... Indeed i think there is no IoT anyway, just renamed old things... ;-)

Hotel name?

Date: 2016-03-11 03:35 pm (UTC)
From: (Anonymous)
This practice will never improve if hotels that do it remain anonymous. They have absolutely no incentive to fix their security.

Re: Hotel name?

Date: 2016-03-12 10:26 am (UTC)
From: (Anonymous)
Sure. Tripadvisor should have a checkbox
"Hotel lighting system hackable to blinkenlights" nearby the info "free wifi"

Re: Hotel name?

From: (Anonymous) - Date: 2016-03-12 11:48 pm (UTC) - Expand

Hotel wifi?

Date: 2016-03-11 03:46 pm (UTC)
From: (Anonymous)
Did you check to see if that range was visible from the hotel wifi?

Re: Hotel wifi?

From: (Anonymous) - Date: 2016-03-11 04:54 pm (UTC) - Expand

Even worse?

Date: 2016-03-11 04:02 pm (UTC)
From: (Anonymous)
I swear this is just me "thinking like an attacker", but: what a really nasty attacker would do would be to send the "open curtains" command to all rooms, wait 30 seconds, and then send the "set room lights to full" command, all the time training one or more high-resolution video cameras at the hotel from the outside or a building opposite.

I wonder what percentage of hotel guests sleep naked?

I wonder how much business such a hotel would get in the ensuing 12 months?

Re: Even worse?

Date: 2016-03-11 04:12 pm (UTC)
From: (Anonymous)
That's more thinking like a voyeur.

Re: Even worse?

From: (Anonymous) - Date: 2016-03-15 08:12 pm (UTC) - Expand

Re: Even worse?

From: (Anonymous) - Date: 2016-03-11 04:13 pm (UTC) - Expand

Re: Even worse?

From: [personal profile] justjanne - Date: 2016-03-11 06:45 pm (UTC) - Expand

Re: Even worse?

From: (Anonymous) - Date: 2016-03-12 05:17 am (UTC) - Expand

Re: Even worse?

From: (Anonymous) - Date: 2016-03-12 02:15 pm (UTC) - Expand

Re: Even worse?

From: (Anonymous) - Date: 2016-03-13 10:10 pm (UTC) - Expand

Re: Even worse?

From: (Anonymous) - Date: 2016-03-16 01:47 am (UTC) - Expand

You know what to do

Date: 2016-03-11 05:12 pm (UTC)
From: (Anonymous)
Lightswitch rave!

Re: You know what to do

Date: 2016-03-13 05:48 am (UTC)
From: (Anonymous)
Wooo WOOO Wooo WOOO

THE SYSTEM IS DOWN!
THE SYSTEM IS DOWN!

Re: You know what to do

From: (Anonymous) - Date: 2016-03-15 09:36 pm (UTC) - Expand

Could be worse

Date: 2016-03-11 05:44 pm (UTC)
From: (Anonymous)
At least I hope the fire control wasn't on the same modbus ....

Leaking Behavior

Date: 2016-03-11 05:50 pm (UTC)
From: (Anonymous)
Your post seems to imply that being able to control another room's lights is the greatest security threat. It isn't: reading other room's settings is.

While it would be annoying to have the lights turn on in the middle of the night, it would only be that (annoying). On the other hand, being able to read the current state of another room's lights leaks information about human behavior. It would be pretty trivial to get a statistical profile of the rooms to determine which rooms have occupants that have either departed or are asleep. These rooms then become targets for theft, vandalism or worse.

Re: Leaking Behavior

Date: 2016-03-11 07:26 pm (UTC)
From: (Anonymous)
You could also do this by watching from across the road for any length of time, the old fashioned way. You could get every floor too if you were high enough.

Re: Leaking Behavior

From: (Anonymous) - Date: 2016-03-12 01:57 pm (UTC) - Expand

Re: Leaking Behavior

From: (Anonymous) - Date: 2016-03-11 09:31 pm (UTC) - Expand
From: (Anonymous)
Installed in multiple places in every room, conveniently indexed by room number. I really doubt they run up to date software. Chances are they can be pwned and turned into bugs.

Criminal offence

Date: 2016-03-12 10:52 am (UTC)
From: (Anonymous)
I think you just publically confessed to a criminal offence...?

Re: Criminal offence

Date: 2016-03-12 11:15 am (UTC)
From: (Anonymous)
Under what criminal statute exactly?

"You Honour, my client merely tried to get his hotel-room Internet to work."

Re: Criminal offence

From: (Anonymous) - Date: 2016-03-12 02:28 pm (UTC) - Expand

Re: Criminal offence

From: (Anonymous) - Date: 2016-03-14 07:38 am (UTC) - Expand

Re: Criminal offence

From: [identity profile] http://apebox.org/wordpress/ - Date: 2016-03-14 10:49 am (UTC) - Expand

Re: Criminal offence

From: (Anonymous) - Date: 2016-03-15 02:52 pm (UTC) - Expand

Re: Criminal offence

From: [identity profile] http://apebox.org/wordpress/ - Date: 2016-03-15 03:10 pm (UTC) - Expand

Re: Criminal offence

From: (Anonymous) - Date: 2016-03-14 07:40 am (UTC) - Expand

Re: Criminal offence

From: (Anonymous) - Date: 2016-03-14 04:21 pm (UTC) - Expand

They would do nothing about it.

Date: 2016-03-12 02:05 pm (UTC)
From: (Anonymous)
The person who knows about the issue doesn't know what to do with it
The person who can fix the problem would never hear about it
The person in position of power to make it OK doesn't really care

That's usually how the world works, IMO. Did you make sure you got the info to the right people - or - are you sure about no posting the name of the hotel?

Interesting

Date: 2016-03-12 06:20 pm (UTC)
From: (Anonymous)
An interesting story about how lazy designs can be.

Next question would be - if there are Android tablets, don't they have microphones and speakers? Take the sounds from one room and play them in another would be a nice prank. Especially if it's done by installing that feature as an app on the tablets so you won't need any added computer.
From: (Anonymous)
Having worked in many hotels, This lack of security is not a surprise. The automation tells me they were looking for a selling point.

That you pointed it out to the front desk and/or management is good but will do nothing, they will forget about it.

until they get sued for "large amount of money" and bad press.

next stop, cameras everywhere on every door.. NO peepholes.
From: (Anonymous)
Android doesn't come with light control software baked into the OS. Someone wrote an app and built controllers with poor security. The weakness is in the light switch software, not in Android.

Date: 2016-03-13 03:07 pm (UTC)
hairyears: (Default)
From: [personal profile] hairyears
Interesting...

A general question: a Very Senior Person at work has a fully automated networked home. Skylights, lighting, aircon, heating.


I asked about the heating, as there's an emerging pattern of drive-bys where script kiddies turn on the hot tub and put the heating on max, in August, while the owners are away.

I've advised this enthusiastic participant in the Internet-of-Things-with-password-Admin to get a security audit...

...But there's nobody I can recommend.

If they take it seriously - and they read your post about lightbulbs - they are senior enough that the corporate security unit might do it as a favour.

Or not; and nobody I would trust to look at a garage-door opener is advertising such a service to homeowners.

I worry that the heating boiler has a Connected maintenance interface for the combustion system, as well as the harmless-but-expensively prankable thermostat.

Data dump?

Date: 2016-03-13 03:47 pm (UTC)
From: (Anonymous)
Can you publish a tcpdump capture file with the actual data? It may be very interesting for learning about the protocol usage and general organization of that network.

Date: 2016-03-14 09:35 pm (UTC)
From: (Anonymous)
it's a pretty trivial web search to find the very short list (roughly one element long) of london hotels offering tablet switches. the numerous tripadvisor photos of these tablets on the hotel's page suggest that only tv on/off is available. so more work needed before the porn hack. as well as lights, heating/ac controls, and "please clean up room now".

Date: 2016-03-15 06:16 pm (UTC)
From: (Anonymous)
First thing that comes to mind (https://s-media-cache-ak0.pinimg.com/236x/af/bb/00/afbb001ddb0a52b9ce775e502252b9a6.jpg)

No big deal

Date: 2016-03-15 06:58 pm (UTC)
From: (Anonymous)
most people don't know how to bridge their computer in with linux commands. If anyone is so inclined to tamper with security, they could just go outside and pull the power breakers on or off..

This security isn't all that big a deal. Cybersecurity folks love to make any little vulnerability into a big deal..

Re: No big deal

Date: 2016-03-17 06:53 am (UTC)
From: (Anonymous)
what you aren't realizing is that with this type of automation starting to gain popularity, but with the general obliviousness of some of its adopters to the security precautions that should be taken, there is more at risk than simply cutting the power. In fact, cutting the power would be a clumsy, last-ditch way to STOP an intrusion. The threat isn't simply being able to turn off peoples lights to annoy them, but that an attacker could not only damage, but EXPLOIT the systems in place, and not always in obvious ways. An obvious way would be to gather personal information about a person by using their security cameras and such to spy on them, and using (or selling) that information for illegal gain. A less obvious one would be gaining access to their personal electronic devices through an unsecured connection to some nifty gadget they use at home, and using it to gain access to every piece of personal information they have by exploiting the insecurity of that connection to get around the other security features of the target's personal devices. By connecting to your smart-lightbulbs or something, you could potentially be handing over all of your bank account information to an attacker, as well as giving them access to your phone's cameras and microphones.

Re: No big deal

From: (Anonymous) - Date: 2016-03-21 01:17 pm (UTC) - Expand
From: (Anonymous)
Like:

http://dasalte.ccc.de/xxccc/chaosknoten_hdk_fernsehturm.jpg
http://tim.pritlove.org/images/blinkenlights-reloaded-flyer-huge.png

Germs

Date: 2016-05-23 02:43 am (UTC)
From: (Anonymous)
This would drive most germophobes crazy. http://hotelnightmares.com/things-germaphobes-dont-want-to-think-about/

Profile

Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Google. Member of the Free Software Foundation board of directors. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Page Summary

Expand Cut Tags

No cut tags