Matthew Garrett ([personal profile] mjg59) wrote2016-03-11 01:36 pm
Entry tags:

I stayed in a hotel with Android lightswitches and it was just as bad as you'd imagine

I'm in London for Kubecon right now, and the hotel I'm staying at has decided that light switches are unfashionable and replaced them with a series of Android tablets.
A tablet displaying the text UK_bathroom isn't responding. Do you want to close it?
One was embedded in the wall, but the two next to the bed had convenient looking ethernet cables plugged into the wall. So.

I managed to borrow a couple of USB ethernet adapters, set up a transparent bridge (brctl addbr br0; brctl addif br0 enp0s20f0u1; brctl addif br0 enp0s20f0u2; ifconfig br0 up) and then stuck my laptop between the tablet and the wall. tcpdump -i br0 showed traffic, and wireshark revealed that it was Modbus over TCP. Modbus is a pretty trivial protocol, and notably has no authentication whatsoever. tcpdump showed that traffic was being sent to 172.16.207.14, and pymodbus let me start controlling my lights, turning the TV on and off and even making my curtains open and close. What fun!

And then I noticed something. My room number is 714. The IP address I was communicating with was 172.16.207.14. They wouldn't, would they?

I mean yes obviously they would.

It's basically as bad as it could be - once I'd figured out the gateway, I could access the control systems on every floor and query other rooms to figure out whether the lights were on or not, which strongly implies that I could control them as well. Jesus Molina talked about doing this kind of thing a couple of years ago, so it's not some kind of one-off - instead, hotels are happily deploying systems with no meaningful security, and the outcome of sending a constant stream of "Set room lights to full" and "Open curtain" commands at 3AM seems fairly predictable.

We're doomed.

(edited: this previously claimed I could only access systems on my own floor, but it turns out that each floor is a separate broadcast domain and I just needed to set a gateway to access the others)

(further edit: I'm deliberately not naming the hotel. They were receptive to my feedback and promised to do something about the issue.)

(Anonymous) 2016-03-11 02:55 pm (UTC)(link)
My coworker asks whether you can control the channels. Can you set all of your neighbours' TVs to pay-per-view while they're out?

Modbus?

(Anonymous) 2016-03-11 03:05 pm (UTC)(link)
I worked on Modbus networking software in the 1980's at Modicon. Why would anyone use that for controlling IoT in 2016? It is baffling.

Hotel name?

(Anonymous) 2016-03-11 03:35 pm (UTC)(link)
This practice will never improve if hotels that do it remain anonymous. They have absolutely no incentive to fix their security.

Hotel wifi?

(Anonymous) 2016-03-11 03:46 pm (UTC)(link)
Did you check to see if that range was visible from the hotel wifi?

Even worse?

(Anonymous) 2016-03-11 04:02 pm (UTC)(link)
I swear this is just me "thinking like an attacker", but: what a really nasty attacker would do would be to send the "open curtains" command to all rooms, wait 30 seconds, and then send the "set room lights to full" command, all the time training one or more high-resolution video cameras at the hotel from the outside or a building opposite.

I wonder what percentage of hotel guests sleep naked?

I wonder how much business such a hotel would get in the ensuing 12 months?

You know what to do

(Anonymous) 2016-03-11 05:12 pm (UTC)(link)
Lightswitch rave!

Could be worse

(Anonymous) 2016-03-11 05:44 pm (UTC)(link)
At least I hope the fire control wasn't on the same modbus ....

Leaking Behavior

(Anonymous) 2016-03-11 05:50 pm (UTC)(link)
Your post seems to imply that being able to control another room's lights is the greatest security threat. It isn't: reading other room's settings is.

While it would be annoying to have the lights turn on in the middle of the night, it would only be that (annoying). On the other hand, being able to read the current state of another room's lights leaks information about human behavior. It would be pretty trivial to get a statistical profile of the rooms to determine which rooms have occupants that have either departed or are asleep. These rooms then become targets for theft, vandalism or worse.

Those tablets are vulnerable network cameras and microphones

(Anonymous) 2016-03-12 12:11 am (UTC)(link)
Installed in multiple places in every room, conveniently indexed by room number. I really doubt they run up to date software. Chances are they can be pwned and turned into bugs.

Criminal offence

(Anonymous) 2016-03-12 10:52 am (UTC)(link)
I think you just publically confessed to a criminal offence...?

They would do nothing about it.

(Anonymous) 2016-03-12 02:05 pm (UTC)(link)
The person who knows about the issue doesn't know what to do with it
The person who can fix the problem would never hear about it
The person in position of power to make it OK doesn't really care

That's usually how the world works, IMO. Did you make sure you got the info to the right people - or - are you sure about no posting the name of the hotel?

Interesting

(Anonymous) 2016-03-12 06:20 pm (UTC)(link)
An interesting story about how lazy designs can be.

Next question would be - if there are Android tablets, don't they have microphones and speakers? Take the sounds from one room and play them in another would be a nice prank. Especially if it's done by installing that feature as an app on the tablets so you won't need any added computer.

The Hotel will not do a thing until BAD Publicity

(Anonymous) 2016-03-12 08:56 pm (UTC)(link)
Having worked in many hotels, This lack of security is not a surprise. The automation tells me they were looking for a selling point.

That you pointed it out to the front desk and/or management is good but will do nothing, they will forget about it.

until they get sued for "large amount of money" and bad press.

next stop, cameras everywhere on every door.. NO peepholes.

You realise this has literally nothing to do with Android...

(Anonymous) 2016-03-13 04:36 am (UTC)(link)
Android doesn't come with light control software baked into the OS. Someone wrote an app and built controllers with poor security. The weakness is in the light switch software, not in Android.
hairyears: Spilosoma viginica caterpillar: luxuriant white hair and a 'Dougal' face with antennae. Small, hairy, and venomous (Default)

[personal profile] hairyears 2016-03-13 03:07 pm (UTC)(link)
Interesting...

A general question: a Very Senior Person at work has a fully automated networked home. Skylights, lighting, aircon, heating.


I asked about the heating, as there's an emerging pattern of drive-bys where script kiddies turn on the hot tub and put the heating on max, in August, while the owners are away.

I've advised this enthusiastic participant in the Internet-of-Things-with-password-Admin to get a security audit...

...But there's nobody I can recommend.

If they take it seriously - and they read your post about lightbulbs - they are senior enough that the corporate security unit might do it as a favour.

Or not; and nobody I would trust to look at a garage-door opener is advertising such a service to homeowners.

I worry that the heating boiler has a Connected maintenance interface for the combustion system, as well as the harmless-but-expensively prankable thermostat.

Data dump?

(Anonymous) 2016-03-13 03:47 pm (UTC)(link)
Can you publish a tcpdump capture file with the actual data? It may be very interesting for learning about the protocol usage and general organization of that network.

(Anonymous) 2016-03-14 09:35 pm (UTC)(link)
it's a pretty trivial web search to find the very short list (roughly one element long) of london hotels offering tablet switches. the numerous tripadvisor photos of these tablets on the hotel's page suggest that only tv on/off is available. so more work needed before the porn hack. as well as lights, heating/ac controls, and "please clean up room now".

(Anonymous) 2016-03-15 06:16 pm (UTC)(link)
First thing that comes to mind (https://s-media-cache-ak0.pinimg.com/236x/af/bb/00/afbb001ddb0a52b9ce775e502252b9a6.jpg)

No big deal

(Anonymous) 2016-03-15 06:58 pm (UTC)(link)
most people don't know how to bridge their computer in with linux commands. If anyone is so inclined to tamper with security, they could just go outside and pull the power breakers on or off..

This security isn't all that big a deal. Cybersecurity folks love to make any little vulnerability into a big deal..

Ever thought about coming back and make a blinkenlights?

(Anonymous) 2016-04-19 11:27 am (UTC)(link)
Like:

http://dasalte.ccc.de/xxccc/chaosknoten_hdk_fernsehturm.jpg
http://tim.pritlove.org/images/blinkenlights-reloaded-flyer-huge.png

Germs

(Anonymous) 2016-05-23 02:43 am (UTC)(link)
This would drive most germophobes crazy. http://hotelnightmares.com/things-germaphobes-dont-want-to-think-about/