A Hacker Games the Hotel

Wired News: By Kim Zetter: "A vulnerability in many hotel television infrared systems can allow a hacker to obtain guests' names and their room numbers from the billing system.

It can also let someone read the e-mail of guests who use web mail through the TV, putting business travelers at risk of corporate espionage. And it can allow an intruder to add or delete charges on a hotel guest's bill or watch pornographic films and other premium content on their hotel TV without paying for it.

Adam Laurie, technical director of the London security and networking firm The Bunker showed Wired News how he conducted such attacks at hotels around the world before he was to speak about the vulnerability Saturday at the DefCon hacker conference in Las Vegas.

Laurie is known as Major Malfunction in the hacker community. He also revealed how infrared used for garage door openers and car-door locks could be hacked, using simple brute force programming techniques to decipher the code that opens the doors.

"No one thinks about the security risks of infrared because they think it's used for minor things like garage doors and TV remotes," Laurie said. "But infrared uses really simple codes, and they don't put any kind of authentication (in it)…. If the system was designed properly, I shouldn't be able to do what I can do."

Ifrared is used in vending machines, scrolling LED public display signs, air conditioning systems, hotel minibars, robotic toys and home automation systems that control lighting and air conditioning from a console.

But hotel TV systems are the most serious target from a privacy standpoint because they are connected to databases that contain information about guests.

Laurie said the vulnerability lies with how hotels have implemented the backend of infrared systems, placing control of the system at the user end, where the TV is located, rather than at the server end with administrators.

Laurie found that the backend systems in many hotels around the world don't have password protection or other authentication schemes to prevent unauthorized users from gaining access to them through the TV. And they fail to use encryption to protect data as it's transferred and stored.

The only hardware an intruder needs is a laptop running Linux, an infrared transmitter and a USB TV tuner. Laurie said the attack can also be performed using the infrared port built into many laptops.

Plugging the TV into the tuner, which is the size of a laptop power pack, and the tuner into his laptop, Laurie is able to use his laptop to pick up content through hotel TVs that the backend system is broadcasting but not currently displaying on the TV.

"It's the same as tuning your TV to multiple channels," Laurie said. "(When you're looking at one channel) the signal (for other channels) is always there, but you're only currently looking at one part of the spectrum." You don't see what's broadcasting on the other channels until you tune into them.

Laurie first discovered the vulnerability when he was "mucking about with hotel TVs to get the porn channel without paying for it." He was able to bypass TV billing menus by using his laptop to tune in to the premium content being broadcast from backend systems. He didn't have to pay for the content, because the systems didn't know he was watching it.

Additionally, he could use hidden codes that transmitted from the remote-control device to the TV through infrared to control functions in the system. But finding those codes and determining what function each controlled wasn't easy. It could take hours to decipher the more than 16,000 possible codes a TV remote uses.

But Laurie automated the process by using a program he wrote that analyzed and mapped all the possible codes in 35 minutes to see which ones were relevant for the system he was trying to crack. Laurie doesn't plan to release the program.

Then he wrote a script that spit out codes to a TV to see what happened. Within an hour and a half, he had a list of codes that controlled things such as billing for the minibar and the room-cleaning status reports -- a menu maids use to report when they've finished cleaning a room. Laurie could alter the reports with little effort.

In some hotels, the front desk can lock and unlock the minibar remotely, or maids can do it using a remote and an infrared receiver on the front of the bar. Laurie found he could do it, too. One day at a Holiday Inn, he accidentally locked the minibar while he was trying to find the commands that controlled it.

"Unfortunately, I did it before I got that beer out!" he said, pointing to a slide showing a can of suds taunting him through the minibar's glass door. "That was motivation to find the other half of that code (to open it)."

He found he could also change filtering on the TV to block certain content or unblock other content. But one of the most serious vulnerabilities he found was in the billing system. Hotel guests can use their TV to check their account balance. The bill is tied to the room number, which in turn has a unique address that's assigned to the TV.

Laurie could view the bills of other guests and see their room numbers simply by going to a menu that displayed the address of the TV in his room and changing a number in the address to make the TV think it was in a different room.

"If I change that address -- it was A161 and I've now changed it to A162 -- I'm now looking at the bill of the guy next door," he said.

If he wanted to know the names and room numbers of all the guests in a hotel, he could automate the process by writing a simple script to call up sequential TV addresses, then set a video camera on a tripod in front of the TV to capture the bills as they came up.

"That tells me who's in there, who's sharing (the room) with who and what they've been doing," he said. This sort of hack would be useful to any number of people, including paparazzi stalking celebrities and private detectives hired by spouses.

"Why would they connect (the TV) to a billing system?" Laurie asked. "Because they don't think. As far as the hotel is concerned, you're the only person who can see (your bill). But they're sending you confidential data over the air through a broadcast system. It's the equivalent of running an open wireless access point. If I tune my TV to your channel, then I get to see what you're doing."

Laurie could view certain activities of other guests by tuning to other channels or by scanning through all possible channels in the system. That's because when a guest purchases premium content or TV internet access, the hotel system assigns a channel to the guest's room through which to deliver the service. All Laurie had to do was surf the channels.

He produced a slide of his TV screen showing another hotel guest sifting through business proposals in his e-mail.

"He's happily typing away in his room thinking he's privately viewing his e-mail," Laurie said. "But I could be anywhere else in the building watching what's going on (from) the TV. If I was a business rival staying in the same hotel at a conference, I could do a little corporate espionage. I see the (bid) proposal he's putting in and I could go in and put one in that's 10 bucks cheaper."

He could also distract the guest with a call while he's still logged into his account, and take over his desktop while he's not looking.

"I'm now controlling the account that he's logged into," he said. "I'm just being him for the moment."

Laurie has been testing infrared systems for two years and said every time he breaks into a new system he finds a new feature -- something he didn't initially think he could do through the remote, which he can now do.

"There's (still) a whole bunch of data (in these systems) that I don't know what it means, but I know where the manufacturers' programming manuals are, so I can go and download them and figure it out," he said.

Many hotels use the same systems. Laurie said he's seen only three or four different backend systems and only two front-end systems for the most part -- TVs made either by Phillips or Loewe. This means he doesn't have to repeat the research at each hotel.

Laurie can also use the television as a backdoor to the network. Surfing through channels with his laptop one day, he suddenly found himself viewing the desktop of a backend computer. He discovered that he could control the cursor on the desktop to maneuver through the master control panel. He could also click icons on the desktop and launch applications.

With all of these vulnerabilities, it might seem possible to upload malicious code into a backend system through the infrared as well. Laurie hasn't tried it yet. "