Bob had a bad night: IoT mischief in a capsule hotel takes neighborly revenge to the next level
BLACK HAT USA: Researchers have revealed how security vulnerabilities could be exploited to compromise hotel Internet of Things (IoT) devices -- and take revenge on loud neighbors.
IoT devices are now commonplace both in businesses and in the home. These internet and often Bluetooth-connected products range from security cameras to smart lighting; fridges that monitor your foodstuffs, pet trackers, intelligent thermostats -- and in the hospitality space, IoT is also employed to give guests more control over their stay.
These services are sometimes offered through dedicated apps and tablets, allowing the management of lights, heaters, air conditioning, televisions, and more.
However, the moment you network IoT and hand over control to third parties, you may also give individuals the keys to a digital kingdom -- and the ability to cause mischief, or worse.
Vulnerabilities in IoT devices vary. They can range from hardcoded, weak credentials to bugs that allow local attackers to hijack devices; remote code execution (RCE) flaws, information-leaking interfaces, and to a lack of security and firmware updates -- the latter of which is a frequent problem in legacy and early IoT products.
Speaking at Black Hat USA, Las Vegas, security consultant Kya Supa from LEXFO explained how a chain of security weaknesses were combined and exploited to gain control of rooms at a capsule hotel, a budget-friendly type of hotel offering extremely small -- and, therefore, cozy -- spaces to guests, who are stacked side-by-side.
Supa was traveling and checked in to a capsule hotel abroad. When they arrived, guests were issued an iPod Touch. The capsules contained a bed and curtain for privacy, as well as a ventilation fan. The technology in use included NFC cards for each floor, the option to mirror a device screen on the curtain, and on the iPod Touch, guests could control the lights, ventilation fan, and change the position of the adjustable bed via an app.
The app was connected via either Bluetooth or Wi-Fi.
A neighbor, "Bob," kept waking Supa up by making loud phone calls in the early hours of the morning. While Bob had agreed to keep it down, he did not keep his promise -- and the researcher set to work since he needed his sleep, especially during his vacation.
The first thing Supa did was to explore his room, finding an emergency light installed for safety reasons; a Nasnos automaton center for use in controlling products in case the iPod Touch was lost; an electric motor used to manage the incline of the capsule's bed; and a Nasnos router, hidden in the wall.
If you connected to the router via a smartphone, it was then possible to control other devices on the network, and this was the setup the hotel chose to use.
It was not possible to exit the app or turn off the iPod Touch, and Apple's Gateway software was in use to stop the device from being tampered with, and so a passcode was required for any other action.
To circumvent these protections, Supa was able to drain the battery and then explore the iPod Touch's settings. He found that two networks were connected -- the hotel Wi-Fi and the router.
To retrieve the router key, Supa targeted WEP, a protocol that has been known to be weak for years. Access points, each being one of the bedrooms, were found. Supa inspected the traffic and found weak credentials in place -- "123" -- and you can guess the rest.