I stayed in a hotel with Android lightswitches and it was just as bad as you'd imagine

[mjg59]

I'm in London for Kubecon right now, and the hotel I'm staying at has decided that light switches are unfashionable and replaced them with a series of Android tablets.

One was embedded in the wall, but the two next to the bed had convenient looking ethernet cables plugged into the wall. So.

I managed to borrow a couple of USB ethernet adapters, set up a transparent bridge (brctl addbr br0; brctl addif br0 enp0s20f0u1; brctl addif br0 enp0s20f0u2; ifconfig br0 up) and then stuck my laptop between the tablet and the wall. tcpdump -i br0 showed traffic, and wireshark revealed that it was Modbus over TCP. Modbus is a pretty trivial protocol, and notably has no authentication whatsoever. tcpdump showed that traffic was being sent to 172.16.207.14, and pymodbus let me start controlling my lights, turning the TV on and off and even making my curtains open and close. What fun!

And then I noticed something. My room number is 714. The IP address I was communicating with was 172.16.207.14. They wouldn't, would they?

I mean yes obviously they would.

It's basically as bad as it could be - once I'd figured out the gateway, I could access the control systems on every floor and query other rooms to figure out whether the lights were on or not, which strongly implies that I could control them as well. Jesus Molina talked about doing this kind of thing a couple of years ago, so it's not some kind of one-off - instead, hotels are happily deploying systems with no meaningful security, and the outcome of sending a constant stream of "Set room lights to full" and "Open curtain" commands at 3AM seems fairly predictable.

We're doomed.

(edited: this previously claimed I could only access systems on my own floor, but it turns out that each floor is a separate broadcast domain and I just needed to set a gateway to access the others)

(further edit: I'm deliberately not naming the hotel. They were receptive to my feedback and promised to do something about the issue.)

Comments

No big deal

[(Anonymous)]

most people don't know how to bridge their computer in with linux commands. If anyone is so inclined to tamper with security, they could just go outside and pull the power breakers on or off..

This security isn't all that big a deal. Cybersecurity folks love to make any little vulnerability into a big deal..

Re: No big deal

[(Anonymous)]

what you aren't realizing is that with this type of automation starting to gain popularity, but with the general obliviousness of some of its adopters to the security precautions that should be taken, there is more at risk than simply cutting the power. In fact, cutting the power would be a clumsy, last-ditch way to STOP an intrusion. The threat isn't simply being able to turn off peoples lights to annoy them, but that an attacker could not only damage, but EXPLOIT the systems in place, and not always in obvious ways. An obvious way would be to gather personal information about a person by using their security cameras and such to spy on them, and using (or selling) that information for illegal gain. A less obvious one would be gaining access to their personal electronic devices through an unsecured connection to some nifty gadget they use at home, and using it to gain access to every piece of personal information they have by exploiting the insecurity of that connection to get around the other security features of the target's personal devices. By connecting to your smart-lightbulbs or something, you could potentially be handing over all of your bank account information to an attacker, as well as giving them access to your phone's cameras and microphones.

Re: No big deal

[(Anonymous)]

"most people don't know how to bridge their computer in with linux commands" maybe.

But once the cat's out of the bag all it takes is someone to conveniently package this for mass pranksters or worse to use.

Most people are capable of following simple instructions, "connect cables", start program...