• Tue
  • Dec 23, 2014
  • Updated: 3:41pm
NewsChina
SECURITY

Hacker takes control of hundreds of rooms in hi-tech 5-star Shenzhen hotel

PUBLISHED : Tuesday, 29 July, 2014, 3:28am
UPDATED : Tuesday, 29 July, 2014, 2:22pm
 

A San Francisco-based cybersecurity expert claims he has hacked and taken control of hundreds of highly automated rooms at a five-star Shenzhen hotel.

Jesus Molina was staying at the St Regis Shenzhen, which provides guests with an iPad and digital "butler" app to control features of the room including the thermostat, lights, and television.

Realising how vulnerable the system was, Molina wrote a piece of code spoofing the guest iPad so he could control the room from his laptop.

After some investigation, and three room changes, he discovered that the network addresses of each room and the devices within them were sequential, allowing him to write a script to potentially control every one of the hotel's more than 250 rooms.

"Hotels are particularly bad when it comes to security," Molina said. "[They're] using all this new technology, which I think is great, but the problem is that the security architecture and security problems are way different than for residential buildings".

With residential automation, Molina explained, most systems will be closed and encrypted. However, in hotels and airports "or any other space where a lot of people access the network", keeping the network secure is far more difficult.

Molina said the KNX automation system the hotel used was also insecure, which made the hack easier.

"I'm an ethical hacker, if you can say that," Molina said, explaining why he didn't immediately plunge the entire hotel into darkness or switch every television to the same channel. Instead, he stood in the corridor and triggered the do-not-disturb lights, "so I knew I was able to control the room and everything inside".

Molina reported the problem to hotel management, which disabled the entire network while they sought a more secure automation solution. Molina said he hoped the hack, and the attention it had received, would lead to more hotels improving their security systems.

Joost Demarest, a spokesman for the KNX Association, said the most recent version of the standard did feature authentication and encryption and that it was "essential that separate Wi-fi networks are used" for the purposes of guest internet access and automation.

In a statement, St Regis Shenzhen said it had "temporarily suspended the control system of the in-room iPad remote controls for system upgrading".

The hotel described Molina's claim that he took control of the automation system as "unsubstantiated".

Molina will present his findings at the Black Hat Briefings cybersecurity conference in Las Vegas next month.

"The hotel industry needs to wake up when it comes to security," he said of the risk posed to guests by open hotel Wi-fi networks.

"People think that they go to these portals and put in their room number and last name and then you access the internet," but anyone connected to the Wi-fi, even non-guests "can still see you, because we're on the same network".

Security experts have long warned of the dangers of public Wi-fi.

"We have seen an increase in the misuse of Wi-fi in order to steal information, identity or passwords and money from users who use public or insecure Wi-fi connections," Troels Oerting, head of pan-European police force Europol's cybercrime centre, told the BBC in March.

Share

For unlimited access to:

SCMP.com SCMP Tablet Edition SCMP Mobile Edition 10-year news archive
 
 

 

 
 
 
 
 
6

This article is now closed to comments

syn
I would just like to let my wife know that all of the twenty-three adult movies that were ordered on the TV and the very large order for mixed seafood platters were all the fault of this dastardly hacker and were not me. Thank you.
jeromechaussard
The problem is that sometimes companies let this kind of New Technologies devices to be developped by people who don't know to do. There is not yet any good practices for this even we think so. Think better, and try to do the development w/people who know... And in this field, knowledge is better than dipmomas.
zvichadashote
Because of the over use of the Internet and powerful wireless technologies, our entire lives are open to hacking. Either live in a lead enclosed structure and never communicate with anyone, or get used to it that privacy no longer exists in our brave new world.
TigerJ
Oh Marcus, you really know China well... NOT
Carparklee
Wow, this report reminds me of scenes in movies like Die-Hard or Mission Impossible 4.
Marcus T Anthony
I bet the hacker went for the massage room first...

Login

SCMP.com Account

or