Get That Silicon Valley Guy Out of Our Chinese Five-Star Hotel
A San Francisco-based cybersecurity expert claims he has hacked and taken control of hundreds of highly automated rooms at a five-star Shenzhen hotel.
Jesus Molina was staying at the St Regis Shenzhen, which provides guests with an iPad and digital “butler” app to control features of the room including the thermostat, lights, and television.
Realising how vulnerable the system was, Molina wrote a piece of code spoofing the guest iPad so he could control the room from his laptop.
After some investigation, and three room changes, he discovered that the network addresses of each room and the devices within them were sequential, allowing him to write a script to potentially control every one of the hotel’s more than 250 rooms.
"Hotels are particularly bad when it comes to security," Molina said. "[They’re] using all this new technology, which I think is great, but the problem is that the security architecture and security problems are way different than for residential buildings".
With residential automation, Molina explained, most systems will be closed and encrypted. However, in hotels and airports “or any other space where a lot of people access the network”, keeping the network secure is far more difficult.
Molina said the KNX automation system the hotel used was also insecure, which made the hack easier.
"I’m an ethical hacker, if you can say that," Molina said, explaining why he didn’t immediately plunge the entire hotel into darkness or switch every television to the same channel. Instead, he stood in the corridor and triggered the do-not-disturb lights, "so I knew I was able to control the room and everything inside".
Molina reported the problem to hotel management, which disabled the entire network while they sought a more secure automation solution. Molina said he hoped the hack, and the attention it had received, would lead to more hotels improving their security systems.
Joost Demarest, a spokesman for the KNX Association, said the most recent version of the standard did feature authentication and encryption and that it was “essential that separate Wi-fi networks are used” for the purposes of guest internet access and automation.
In a statement, St Regis Shenzhen said it had “temporarily suspended the control system of the in-room iPad remote controls for system upgrading”.
The hotel described Molina’s claim that he took control of the automation system as “unsubstantiated”.
Molina will present his findings at the Black Hat Briefings cybersecurity conference in Las Vegas next month.
"The hotel industry needs to wake up when it comes to security," he said of the risk posed to guests by open hotel Wi-fi networks.
"People think that they go to these portals and put in their room number and last name and then you access the internet," but anyone connected to the Wi-fi, even non-guests "can still see you, because we’re on the same network".
Security experts have long warned of the dangers of public Wi-fi.
"We have seen an increase in the misuse of Wi-fi in order to steal information, identity or passwords and money from users who use public or insecure Wi-fi connections," Troels Oerting, head of pan-European police force Europol’s cybercrime centre, told the BBC in March.
This article appeared in the South China Morning Post print edition as Hacker takes control of Shenzhen hotel’s rooms
Mat Honan at Wired. “The Nightmare on Connected Home Street”
I wake up at four to some old-timey dubstep spewing from my pillows. The lights are flashing. My alarm clock is blasting Skrillex or Deadmau5 or something, I don’t know. I never listened to dubstep, and in fact the entire genre is on my banned list. You see, my house has a virus again.
Technically it’s malware. But there’s no patch yet, and pretty much everyone’s got it. Homes up and down the block are lit up, even at this early hour. Thankfully this one is fairly benign. It sets off the alarm with music I blacklisted decades ago on Pandora. It takes a picture of me as I get out of the shower every morning and uploads it to Facebook. No big deal.
I don’t sleep well anyway, and already had my Dropcam Total Home Immersion account hacked, so I’m basically embarrassment-proof. And anyway, who doesn’t have nudes online? Now, Wat3ryWorm, that was nasty. That was the one with the 0-day that set off everyone’s sprinkler systems on Christmas morning back in ’22. It did billions of dollars in damage.
Going back to sleep would be impossible at this point, so I drag myself into the kitchen to make coffee. I know this sounds weird, but I actually brew coffee with a real kettle. The automatic coffee machine is offline. I had to pull its plug because it was DDOSing a gaming server in Singapore. Basically, my home is a botnet. The whole situation makes me regret the operating system I installed years ago, but there’s not much I can do. I’m pretty much stuck with it.
When I moved into my house in the 20s, I went with an Android-compatible system because there were more accessories and they were better designed. But then I changed jobs and now my home doesn’t work with my company-issued phone. Which is a bummer because I have to keep this giant 7-inch tablet around to control everything and Google doesn’t support the hardware anymore so I can’t update it and now the door just randomly unlocks. Ugh, I’m going to have to start using keys again.
I’d just reinstall the OS, but that would be too expensive. Besides, all my Nexus Home® stuff uses proprietary chargers, and I can’t deal with having Amazon drones come in and rip out the drywall again….