In-brief: security researcher Matthew Garrett of the firm COREOS found that software-based lighting controls in his London hotel room, which had replaced mechanical light switches, could be easily hacked, giving him the ability to control lighting in any room in the facility.
This week brought another warning shot about the dangers posed by the fast-spreading Internet of Things, as software applications replace even the simplest, mechanical devices in our homes, offices and other environments.
Specifically: security researcher Matthew Garrett of the firm COREOS found that software-based lighting controls in his London hotel room, which had replaced mechanical light switches, could be easily hacked, giving him the ability to control lighting in any room in the facility.
Garrett wrote about the incident on his personal blog, describing an ugly-sounding “smart hotel” implementation in which Android tablets had been embedded in the wall and placed next to the bed, connected only by “convenient looking ethernet cables plugged into the wall.”
Garrett, a talented security researcher and developer who is also a member of the Free Software Foundation, decided to poke around. He set up his own laptop to capture traffic sent do and from the wall-mounted tablet and used the free tool Wireshark to analyze it.
The device used the Modbus protocol over TCP. Modbus is a common protocol that is common to legacy industrial control environments, including building automation. As Garrett notes, it is also a “trivial protocol, and notably has no authentication whatsoever.” Garrett noted that, using the pymodbus module, he could control the lights, television and curtains in his room from his laptop.
Finally, Garrett noted that the traffic he had captured was sent to the IP address 172.16.207.14 – and that his room number was 714. Coincidence? Sadly, no.
It’s basically as bad as it could be – once I’d figured out the gateway, I could access the control systems on every floor and query other rooms to figure out whether the lights were on or not, which strongly implies that I could control them as well.
Garrett isn’t the first security pro to fiddle with “connected room” features at high end hotel (where such features seem to concentrate). At the 2014 Black Hat Briefings and Def Con conferences, Jesus Molina (@verifythentrust) did so. His report can be found here (PDF).
Other security researchers, including Billy Rios, have dug behind panels in their hotel rooms to expose the (mostly) commodity hardware and software that is the guts of modern, connected hotels.
Besides hijinx, there is value to be had in compromising hotel rooms. Kaspersky Lab in 2014 exposed a malware campaign dubbed “Dark Hotel” that lurked at high end hotels and targeted guests with information stealing malware.
Marc Blackmer has written on these pages about the need to balance benefit and risk when considering IoT or “connected stuff” deployments. You can check out his opinion piece here.