Hacker takes control of hundreds of rooms in hi-tech 5-star Shenzhen hotel
A San Francisco-based cybersecurity expert claims he has hacked and taken control of hundreds of highly automated rooms at a five-star Shenzhen hotel.
Jesus Molina was staying at the St Regis Shenzhen, which provides guests with an iPad and digital "butler" app to control features of the room including the thermostat, lights, and television.
Realising how vulnerable the system was, Molina wrote a piece of code spoofing the guest iPad so he could control the room from his laptop.
After some investigation, and three room changes, he discovered that the network addresses of each room and the devices within them were sequential, allowing him to write a script to potentially control every one of the hotel's more than 250 rooms.
"Hotels are particularly bad when it comes to security," Molina said. "[They're] using all this new technology, which I think is great, but the problem is that the security architecture and security problems are way different than for residential buildings".
With residential automation, Molina explained, most systems will be closed and encrypted. However, in hotels and airports "or any other space where a lot of people access the network", keeping the network secure is far more difficult.
Molina said the KNX automation system the hotel used was also insecure, which made the hack easier.
"I'm an ethical hacker, if you can say that," Molina said, explaining why he didn't immediately plunge the entire hotel into darkness or switch every television to the same channel. Instead, he stood in the corridor and triggered the do-not-disturb lights, "so I knew I was able to control the room and everything inside".
Molina reported the problem to hotel management, which disabled the entire network while they sought a more secure automation solution. Molina said he hoped the hack, and the attention it had received, would lead to more hotels improving their security systems.
Joost Demarest, a spokesman for the KNX Association, said the most recent version of the standard did feature authentication and encryption and that it was "essential that separate Wi-fi networks are used" for the purposes of guest internet access and automation.
In a statement, St Regis Shenzhen said it had "temporarily suspended the control system of the in-room iPad remote controls for system upgrading".
The hotel described Molina's claim that he took control of the automation system as "unsubstantiated".
Molina will present his findings at the Black Hat Briefings cybersecurity conference in Las Vegas next month.
"The hotel industry needs to wake up when it comes to security," he said of the risk posed to guests by open hotel Wi-fi networks.
"People think that they go to these portals and put in their room number and last name and then you access the internet," but anyone connected to the Wi-fi, even non-guests "can still see you, because we're on the same network".
Security experts have long warned of the dangers of public Wi-fi.
"We have seen an increase in the misuse of Wi-fi in order to steal information, identity or passwords and money from users who use public or insecure Wi-fi connections," Troels Oerting, head of pan-European police force Europol's cybercrime centre, told the BBC in March.