Vulnerability could lead to data leak in a hotel
Date: August 02, 2005Source: wired news
A vulnerability in many hotel television infrared systems can allow a hacker to obtain guests' names and their room numbers from the billing system.
It can also let someone read the e-mail of guests who use web mail through the TV, putting business travelers at risk of corporate espionage. And it can allow an intruder to add or delete charges on a hotel guest's bill or watch pornographic films and other premium content on their hotel TV without paying for it.
Adam Laurie, technical director of the London security and networking firm The Bunker showed Wired News how he conducted such attacks at hotels around the world before he was to speak about the vulnerability Saturday at the DefCon hacker conference in Las Vegas.
Laurie is known as Major Malfunction in the hacker community. He also revealed how infrared used for garage door openers and car-door locks could be hacked, using simple brute force programming techniques to decipher the code that opens the doors.
"No one thinks about the security risks of infrared because they think it's used for minor things like garage doors and TV remotes," Laurie said. "But infrared uses really simple codes, and they don't put any kind of authentication (in it)…. If the system was designed properly, I shouldn't be able to do what I can do."
Ifrared is used in vending machines, scrolling LED public display signs, air conditioning systems, hotel minibars, robotic toys and home automation systems that control lighting and air conditioning from a console.
But hotel TV systems are the most serious target from a privacy standpoint because they are connected to databases that contain information about guests.
Laurie said the vulnerability lies with how hotels have implemented the backend of infrared systems, placing control of the system at the user end, where the TV is located, rather than at the server end with administrators.
Laurie found that the backend systems in many hotels around the world don't have password protection or other authentication schemes to prevent unauthorized users from gaining access to them through the TV. And they fail to use encryption to protect data as it's transferred and stored.
The only hardware an intruder needs is a laptop running Linux, an infrared transmitter and a USB TV tuner. Laurie said the attack can also be performed using the infrared port built into many laptops.
Add comment Email to a Friend