image

Cybersecurity

Tencent engineer slapped with fine for hacking hotel Wi-fi in Singapore

PUBLISHED : Wednesday, 26 September, 2018, 8:02pm
UPDATED : Thursday, 27 September, 2018, 8:14am

The State Courts of Singapore have slapped an engineer of Chinese internet giant Tencent Holdings with a S$5,000 (US$3,663) fine for hacking into a hotel’s Wi-fi server during his stay in the city state last month.

Zheng Dutao, 23, was handed the fine on Monday, in lieu of a 25-day prison sentence, for hacking into the Wi-fi system of a branch of the Fragrance Hotel chain where he stayed.

He pleaded guilty to one count of intentionally disclosing a password providing unauthorised access to data belonging to the budget hotel chain, according to a report by Yahoo News.

A fresh graduate, Zheng visited Singapore to attend a security conference and competition called HITB GSEC, held from August 27 to 31, as an individual participant, according to a statement from Tencent. The Shenzhen-based company did not provide the current employment status of Zheng.

Shanghai police investigate data leak of 130 million hotel clients available on dark web for 8 bitcoin

The investigation found that Zheng arrived on August 27 and checked into the Fragrance Hotel’s branch in Singapore’s Bugis shopping district.

The following day, Zheng said he looked to find possible vulnerabilities in his hotel’s Wi-fi system “out of curiosity”. Using Google search, he successfully found the hotel Wi-fi system’s default user identification and password.

After connecting to that system, Zheng executed scripts, decrypted files and cracked passwords over the next three days before gaining access to the database of the hotel’s Wi-fi server, according to Yahoo News. He also tried to access the Wi-fi server of Fragrance Hotel’s branch in the city’s Little India district, but failed.

Zheng posted the steps he performed to successfully hack that server on his personal blog, in which he made the passwords public without authorisation from the hotel. He also shared the blog post in a WhatsApp group chat.

The Cyber Security Agency of Singapore (CSA) discovered the blog post and notified the hotel’s management. CSA also asked Zheng to take down the post, which he did.

The hotel reported the hack to the police on September 1, according to Yahoo News. It said Zheng had been blogging about server vulnerabilities since 2014, but his blog post from Singapore was the first time he documented a vulnerability that he discovered.

At Zheng’s court hearing, his lawyer Anand Nalachandran said no actual harm was caused to the hotel. He requested the court to impose a fine of no more than S$5,000, taking into account Zheng being put in custody for several days, according to the report.

Under Singapore’s Computer Misuse Act, the maximum punishment for the offence of unauthorised disclosure of passwords involves a S$10,000 fine and three years in prison.

Singapore firms could have lost billions that would amount to six per cent of city state’s GDP through cyberattacks

Nalachandran did not immediately respond to a request for further comment about Zheng’s case.

The deputy public prosecutor for the case, Thiagesh Sukumaran, said Zheng appeared to have committed the offence out of curiosity, Yahoo News reported. While no “tangible harm” was caused, he said Zheng knew as a security professional the venerability he posted on a his blog could be “exploited by others for wrongful purposes”. He also asked the court for a fine of S$5,000.

The hotel hacking incident has received wide public attention in both Singapore and China amid a recent security breach at New York-listed Huazhu Hotels Group, which owns more than 10 hotel brands and manages more than 3,800 hotels across 382 mainland cities.

Massive hack attack on Singapore’s health records likely carried out by state-linked group. But who?

An investigation by Shanghai police resulted in the arrest of a suspect in the attempted sale last month of the personal data of about 130 million Huazhu clients via a Dark Web forum, where the asking price was 8 bitcoin or about US$56,000.

Singapore has also been hit by a series of cyberattacks on companies and public agencies. The city’s government said in July that 1.5 million health records were breached in an incident that occurred from June 27 to July 4, which repeatedly targeted the health records of Singapore Prime Minister Lee Hsien Loong.

Cyberattacks on companies in Singapore last year resulted in US$17.7 billion worth of economic damage, according to estimates by Frost & Sullivan in a study commissioned by Microsoft. That figure would account for six per cent of the city’s gross domestic product.