Gee Whiz! Connected Hotel Room Controls Vulnerable to Hacking

Connected hotel room features have proven susceptible to hacking.
Connected hotel room features have proven susceptible to hacking.

In-brief: security researcher Matthew Garrett of the firm COREOS found that software-based lighting controls in his London hotel room, which had replaced mechanical light switches, could be easily hacked, giving him the ability to control lighting in any room in the facility.

This week brought another warning shot about the dangers posed by the fast-spreading Internet of Things, as software applications replace even the simplest, mechanical devices in our homes, offices and other environments.


Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.


Specifically: security researcher Matthew Garrett of the firm COREOS found that software-based lighting controls in his London hotel room, which had replaced mechanical light switches, could be easily hacked, giving him the ability to control lighting in any room in the facility.

Garrett investigated tablet based controls for lighting, television and curtains in his London hotel room and found it easy to hack them. (Image courtesy of Matthew Garrett.)
Garrett investigated tablet based controls for lighting, television and curtains in his London hotel room and found it easy to hack them. (Image courtesy of Matthew Garrett.)

Garrett wrote about the incident on his personal blog, describing an ugly-sounding “smart hotel” implementation in which Android tablets had been embedded in the wall and placed next to the bed, connected only by “convenient looking ethernet cables plugged into the wall.”

Garrett, a talented security researcher and developer who is also a member of the Free Software Foundation, decided to poke around. He set up his own laptop to capture traffic sent do and from the wall-mounted tablet and used the free tool Wireshark to analyze it.

The device used the Modbus protocol over TCP. Modbus is a common protocol that is common to legacy industrial control environments, including building automation. As Garrett notes, it is also a “trivial protocol, and notably has no authentication whatsoever.” Garrett noted that, using the pymodbus module, he could control the lights, television and curtains in his room from his laptop.

Finally, Garrett noted that the traffic he had captured was sent to the IP address 172.16.207.14 – and that his room number was 714. Coincidence? Sadly, no.

It’s basically as bad as it could be – once I’d figured out the gateway, I could access the control systems on every floor and query other rooms to figure out whether the lights were on or not, which strongly implies that I could control them as well.

Garrett isn’t the first security pro to fiddle with “connected room” features at high end hotel (where such features seem to concentrate). At the 2014 Black Hat Briefings and Def Con conferences, Jesus Molina (@verifythentrust) did so. His report can be found here (PDF).

Other security researchers, including Billy Rios, have dug behind panels in their hotel rooms to expose the (mostly) commodity hardware and software that is the guts of modern, connected hotels.

Besides hijinx, there is value to be had in compromising hotel rooms. Kaspersky Lab in 2014 exposed a malware campaign dubbed “Dark Hotel” that lurked at high end hotels and targeted guests with information stealing malware.

Marc Blackmer has written on these pages about the need to balance benefit and risk when considering IoT or “connected stuff” deployments. You can check out his opinion piece here.

2 Comments

  1. While security in the IoT age is of course a major concern, it’s all too easy for writers to cite poor IOT examples, scaremonger everyone into believing its not safe and not explain that many reputable suppliers have already spent years on building-in security such as encryption, authentication, sequencing and watchdog messages to prevent eavesdropping, man-in-the-middle attacks, replay attacks and nobody home attacks. Qualcomm’s CSRmesh is such a case in point that provides a fairly secure home/building automation platform that incorporates the above features and doesn’t cost the earth.

  2. Pingback: Research Raises More Alarms On Connected Home Products | The Security Ledger