Researcher Demonstrates How IoT Vulnerabilities Can Disrupt Hotel Vacations

LEXFO security consultant Kya Supa told how attackers can exploit vulnerabilities in IoT devices and turn the lives of hotel guests into a real nightmare.

Speaking as a speaker at the Black Hat USA conference in Las Vegas, Supa explained how he managed to exploit a chain of vulnerabilities and gain control of a room in a capsule hotel.

During one of his trips abroad, the researcher stayed in a capsule hotel. When guests check into the hotel, they are given an iPod Touch to control the devices in the room. The room has a bed, a fan, and a curtain separating the room from the rest of the room.

Among the technologies used by the hotel, Supa named NFC cards for each floor, the ability to project the device's screen onto a curtain and an iPod Touch. Guests can control the lights, fan and transform the rollaway bed using an app connected to their devices via Bluetooth or Wi-Fi.

Soup's neighbor, "Bob," was talking loudly on the phone early in the morning, not allowing him to rest. The researcher politely asked the neighbor to speak more quietly, but "Bob" ignored the request, and Supa decided to take revenge.

The first thing the researcher did was examine his room. He found emergency lights, a Nasnos automation center if the iPod Touch was lost, an electric motor to operate a roll-out bed, and a Nasnos router built into the wall.

If you connect to the router via a smartphone, you can control other devices on the network. The iPod Touch could not be exited or turned off, the Apple Gateway software was used to prevent unauthorized access to the devices, and a password was required to access other features.

To bypass this protection, Supa was able to drain the battery and then examine the iPod Touch's settings. He found that there were two networks connected - the hotel Wi-Fi and the router.

To obtain the router key, Supa targeted WEP, a protocol that has been known for years for being unreliable. Access points were discovered, each of which was one of the rooms. Supa checked traffic and found bad credentials ("123"). What happened next is easy to guess.

Using an Android smartphone, iPod Touch, and laptop, the researcher created a Man-in-The-Middle (MiTM) architecture and checked network traffic. No encryption was discovered, and Supa wrote a simple program to tamper with these connections, allowing him to take control of his room through his laptop.

Next, it was necessary to determine whether the received key was applicable to devices in other rooms. Supa downloaded an app for the Nasnos router and redesigned the software to see how the Wi-Fi key was generated, and while this investigation failed, the researcher was able to find that packets were being sent over UDP port 968, and the lack of authentication meant he was all was still able to get wifi keys.

As it turned out, the keys differed only by four symbols, so with the help of brute force, the researcher was able to get them and take control over the "smart" functions of each room.

Now that Supa could control every room and "Bob" was still there, the researcher manipulated the lighting in the different rooms until he found the one he wanted. He wrote a script that would fold the bed into the sofa every two hours and turn the lights on and off, and turn it on at midnight, so Bob couldn't get enough sleep that night either.

A capsule hotel is one of the options for Japanese hotels, which are small sleeping cells located one above the other. The room in the capsule hotel is a capsule measuring approximately 2 × 1 × 1.25 m. It is large enough to sleep, watch TV or read. Privacy is provided by a fiberglass curtain or door at the open end of the capsule.

Previous Post Next Post