I'm in London for Kubecon right now, and the hotel I'm staying at has decided that light switches are unfashionable and replaced them with a series of Android tablets. One was embedded in the wall, but the two next to the bed had convenient looking ethernet cables plugged into the wall. So.
I managed to borrow a couple of USB ethernet adapters, set up a transparent bridge (brctl addbr br0; brctl addif br0 enp0s20f0u1; brctl addif br0 enp0s20f0u2; ifconfig br0 up) and then stuck my laptop between the tablet and the wall. tcpdump -i br0 showed traffic, and wireshark revealed that it was Modbus over TCP. Modbus is a pretty trivial protocol, and notably has no authentication whatsoever. tcpdump showed that traffic was being sent to 172.16.207.14, and pymodbus let me start controlling my lights, turning the TV on and off and even making my curtains open and close. What fun!
And then I noticed something. My room number is 714. The IP address I was communicating with was 172.16.207.14. They wouldn't, would they?
I mean yes obviously they would.
It's basically as bad as it could be - once I'd figured out the gateway, I could access the control systems on every floor and query other rooms to figure out whether the lights were on or not, which strongly implies that I could control them as well. Jesus Molina talked about doing this kind of thing a couple of years ago, so it's not some kind of one-off - instead, hotels are happily deploying systems with no meaningful security, and the outcome of sending a constant stream of "Set room lights to full" and "Open curtain" commands at 3AM seems fairly predictable.
We're doomed.
(edited: this previously claimed I could only access systems on my own floor, but it turns out that each floor is a separate broadcast domain and I just needed to set a gateway to access the others)
(further edit: I'm deliberately not naming the hotel. They were receptive to my feedback and promised to do something about the issue.)
(a)he causes a computer to perform any function with intent to secure access to any program or data held in any computer [F1, or to enable any such access to be secured] ;
(b)the access he intends to secure [F2, or to enable to be secured,] is unauthorised; and
(c)he knows at the time when he causes the computer to perform the function that that is the case.
The access was definitely unauthorised (b), and he knew it (c). So the question is whether IoT targets count as computers, for the purposes of the act, got (a) to apply
Nothing he did violates that act. The hotel in fact gives guests access to the network for free. So he in no way violated the network by sniffing data.
Do you think the hotel intended to authorise access in that manner? I'm pretty sure they didn't, and if I was a juror or magistrate I don't think I'd believe anybody believed they did.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Re: Criminal offence
(Anonymous) 2016-03-12 11:15 am (UTC)(link)"You Honour, my client merely tried to get his hotel-room Internet to work."
Re: Criminal offence
(Anonymous) 2016-03-12 02:28 pm (UTC)(link)Re: Criminal offence
(Anonymous) 2016-03-14 07:38 am (UTC)(link)Which part of the act exactly did this violate?
Networking sniffing and reading data transmitted over a network in no way is against the Computer Abuse Act you idiot
Re: Criminal offence
Unauthorised access to computer material.
(1)A person is guilty of an offence if—
(a)he causes a computer to perform any function with intent to secure access to any program or data held in any computer [F1, or to enable any such access to be secured] ;
(b)the access he intends to secure [F2, or to enable to be secured,] is unauthorised; and
(c)he knows at the time when he causes the computer to perform the function that that is the case.
The access was definitely unauthorised (b), and he knew it (c). So the question is whether IoT targets count as computers, for the purposes of the act, got (a) to apply
Re: Criminal offence
(Anonymous) 2016-03-15 02:52 pm (UTC)(link)Re: Criminal offence
Interpretation Act 1978:
6 Gender and number.
In any Act, unless the contrary intention appears,—
(a)words importing the masculine gender include the feminine;
Re: Criminal offence
(Anonymous) 2016-03-14 07:40 am (UTC)(link)Nothing he did violates that act. The hotel in fact gives guests access to the network for free. So he in no way violated the network by sniffing data.
Are you really this stupid?
Re: Criminal offence
(Anonymous) 2016-03-14 04:21 pm (UTC)(link)