A security expert exploited a weak serial communications protocol used in a hotel where he was staying and found he was able to control every room’s light switches, TV, and curtains.
Matthew Garrett, a Linux and security expert, explains in a blog post that he was staying in a hotel while attending KubeCon in London, when he noticed something interesting: his hotel room used Android tablets instead of light switches, and two of the tablets next to the bed had Ethernet cables plugged into the wall.
Curious, Garrett borrowed some USB ethernet adapters and used them to set up a transparent bridge. An analysis using Wireshark revealed the traffic transmitted between the tablets and the wall was structured to the Modbus protocol over TCP, a weak protocol that doesn’t require any authentication. Using pymodbus, the security expert was able to play around with his room’s lights, curtains, and TV.
It was then, however, that the expert noticed he was communicating with the IP address 172.16.207.14. He was staying in room 714 – the last three digits of that IP address.
At that point, the true meaning of his discovery came to him:
“It’s basically as bad as it could be. Once I’d figured out the gateway, I could access the control systems on every floor and query other rooms to figure out whether the lights were on or not, which strongly implies that I could control them as well.”
Clearly, some prankster could use Garrett’s discovery to annoy the living daylights out of all of the hotel’s residents by turning everything on in the middle of the night.
But as noted by The Register, a more insidious character could leverage that level of control to infer who was in their rooms, knowledge which they could act upon if they were looking to break in and steal personal items while a room’s residents were away.
Garrett chose neither of these paths. Instead he alerted the hotel, the name of which he has intentionally withheld. The hotel’s staff, in turn, has reported that it is working on a fix for the issue.
These Android tablet light switch replacements join the ranks of a number of other Internet of Things (IoT) devices that have proven to be vulnerable.
These include LeapFrog toys, Hello Barbie, a dongle-based TV streamer, and a ‘smart’ doorbell amongst others.
Such shortcomings in IoT security have some top officials in the United States worried. ZDNet reported the views of U.S. Director of National Intelligence James Clapper:
“Devices, designed and fielded with minimal security requirements and testing, and an ever-increasing complexity of networks could lead to widespread vulnerabilities in civilian infrastructures and US government systems.”
To enhance the security of IoT devices, it is the responsibility of Garrett and other researchers to report on these types of glaring vulnerabilities.
It is then up to ordinary users to demand more of these smart things’ manufacturers and to urge them to build their devices with security in mind.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
One comment on “Hacking a hotel: How to gain control of every room’s lights, TV, and curtains”
'when he noticed something interesting: his hotel room used Android tablets instead of light switches, and two of the tablets next to the bed had Ethernet cables plugged into the wall.'
Say rather that he noticed a really stupid design.
'Clearly, some prankster could use Garrett's discovery to annoy the living daylights out of all of the hotel's residents by turning everything on in the middle of the night.'
Thanks for the pun.
'Devices, designed and fielded with minimal security requirements and testing, and an ever-increasing complexity of networks could lead to widespread vulnerabilities in civilian infrastructures and US government systems.'
Yet they consider using it infrastructures and government systems? Shameful.
'It is then up to ordinary users to demand more of these smart things' manufacturers and to urge them to build their devices with security in mind. '
But they're not trained in the matter. And even security-conscious programmers (and administrators, and otherwise anyone working with technology) are still human (not to say those not working with technology aren't human); they're prone to mistakes. So rather than encourage more (at least that's how I interpret your point) encourage less; the only fix is to get rid of the IoT (which I realise won't happen but if more people recognise this the better things will be even if only for those who see the problem). But you're right in that since it's not going away they should really do a much better job – or don't participate in the IoT. It will take a lot of people before this happens and I would hazard a guess that there will never be enough.