I'm in London for Kubecon right now, and the hotel I'm staying at has decided that light switches are unfashionable and replaced them with a series of Android tablets. One was embedded in the wall, but the two next to the bed had convenient looking ethernet cables plugged into the wall. So.
I managed to borrow a couple of USB ethernet adapters, set up a transparent bridge (brctl addbr br0; brctl addif br0 enp0s20f0u1; brctl addif br0 enp0s20f0u2; ifconfig br0 up) and then stuck my laptop between the tablet and the wall. tcpdump -i br0 showed traffic, and wireshark revealed that it was Modbus over TCP. Modbus is a pretty trivial protocol, and notably has no authentication whatsoever. tcpdump showed that traffic was being sent to 172.16.207.14, and pymodbus let me start controlling my lights, turning the TV on and off and even making my curtains open and close. What fun!
And then I noticed something. My room number is 714. The IP address I was communicating with was 172.16.207.14. They wouldn't, would they?
I mean yes obviously they would.
It's basically as bad as it could be - once I'd figured out the gateway, I could access the control systems on every floor and query other rooms to figure out whether the lights were on or not, which strongly implies that I could control them as well. Jesus Molina talked about doing this kind of thing a couple of years ago, so it's not some kind of one-off - instead, hotels are happily deploying systems with no meaningful security, and the outcome of sending a constant stream of "Set room lights to full" and "Open curtain" commands at 3AM seems fairly predictable.
We're doomed.
(edited: this previously claimed I could only access systems on my own floor, but it turns out that each floor is a separate broadcast domain and I just needed to set a gateway to access the others)
(further edit: I'm deliberately not naming the hotel. They were receptive to my feedback and promised to do something about the issue.)
More likely because Modbus is an industry standard protocol for controlling machinery and its implementations are widely available for PLCs and such.
There is nothing intrinsically wrong with using Modbus - but they should have layered some authentication on top of it.
Or simply used normal switches so that the guest doesn't have to pee their bed while fumbling with a crashed tablet in the middle of the night trying to turn the toilet lights on!
I swear this is just me "thinking like an attacker", but: what a really nasty attacker would do would be to send the "open curtains" command to all rooms, wait 30 seconds, and then send the "set room lights to full" command, all the time training one or more high-resolution video cameras at the hotel from the outside or a building opposite.
I wonder what percentage of hotel guests sleep naked?
I wonder how much business such a hotel would get in the ensuing 12 months?
IIRC they infected specific versions windows machines connected to specific siemens controllers, and the network/auth breach was in that those machines were hooked up to some network not in the control protocol itself
Your post seems to imply that being able to control another room's lights is the greatest security threat. It isn't: reading other room's settings is.
While it would be annoying to have the lights turn on in the middle of the night, it would only be that (annoying). On the other hand, being able to read the current state of another room's lights leaks information about human behavior. It would be pretty trivial to get a statistical profile of the rooms to determine which rooms have occupants that have either departed or are asleep. These rooms then become targets for theft, vandalism or worse.
You could also do this by watching from across the road for any length of time, the old fashioned way. You could get every floor too if you were high enough.
What he's implying, I believe, is that you could sit in a building opposite with telephoto camera, open the blinds and turn on the lights, and blackmail any occupants you found in compromising positions.
Probably a worse threat for many people than having their stuff stolen.
Those tablets are vulnerable network cameras and microphones
Installed in multiple places in every room, conveniently indexed by room number. I really doubt they run up to date software. Chances are they can be pwned and turned into bugs.
i would imagine a company this negligent could have its netmasking busted with only slightly more effort, though it might require more professional tools than just a packet sniffer.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Page 1 of 3