Shenzhen is the Silicon Valley of mainland China. Situated about 50 minutes north of Hong Kong, the modern city is home to the Shenzhen Stock Exchange and numerous high-tech giants and startups.
So naturally, the city's five-star hotels regularly host wealthy moguls in their luxury rooms. Last year, one of those hotels also hosted a hacker from Spain who discovered that he could seize control of the wealthy guests' highly-automated rooms.
Jesus Molina, who was staying at the St. Regis Shenzhen hotel, found that he could easily take control of the thermostats, lights, TVs and window blinds in all of the hotel's 250-plus rooms, as well as alter the electronic "Do Not Disturb" lights outside each door---all from the comfort of his luxurious bed.
He'll be presenting his findings at the Black Hat security conference in August.
The St. Regis supplies every guest with an iPad and digital "butler" application to control the features in their room. Molina, a native Spaniard who works as an independent security consultant in the U.S., found that the system uses an insecure protocol and configuration. It allows anyone to sniff commands as they cross the wireless network and replay them at will---to any connected device in the hotel.
"Guests make assumptions that the channel they are using to control devices in their room is secure," Molina says. But it's not.
The hack is possible due to vulnerabilities in an old communications protocol the hotel uses. Known as KNX, it is designed to be used on wired networks, but since the St Regis wants to afford its guests wireless control of their conveniences, that's not how it's using the protocol. This is a problem because KNX communication isn't encrypted or authenticated. "The KNX/IP protocol provides no security," says Molina, "so any hotel or public space that have deployed it on an insecure network will make it easy to exploit."
The problem is exacerbated by the fact that the St. Regis uses the same open wireless network to send these commands that guests use to surf the internet, making it easy for guests---or anyone else within wireless range---to sniff the traffic and record the commands. "I didn't have to be in the hotel to do what I did," says Molina. "I could have done it from anywhere. I could use a very big antenna from the next building."
Molina could likely do the same attack if the KNX was talking over a wired network as well, as long as he was able to get onto the network, due to the same authentication and encryption defects. The protocol, he says, is commonly used in hotels and other places in Europe. He's also aware of at least two hotels in the U.S. that offer guests iPads to control devices in their rooms, though he's not sure if they use KNX for communication. "Other hotels that have the systems have probably committed the same problem, because most of them have this same wireless connection," he says. "I believe most of them will all be accessible."
The issue, however, goes beyond just the protocol and the use of an open wireless network. The St. Regis also didn't authenticate the iPads in any way, so a hacker could install the butler application on his own laptop and use it to send commands to the devices in that room. With a little more work, he could write a program to control the devices in other rooms from his laptop.
The hacker could also control devices from outside China by installing a Trojan horse on one of the hotel iPads that caused it to connect to him through the internet. Then, using the iPad as a proxy, he could send remote commands to devices in the room. "I could be in Berlin and the iPad could make me able to switch on the lights in the hotel at 3am from there," he says.
Or he could simply install malicious code on the iPads to control the lights and TV at random times, after he's long gone from the hotel, without needing to connect remotely.
To gain control of the systems in other rooms, an attacker would have to obtain the address for each device in each room. But this took Molina only a day or so. The protocol uses a KNX address consisting of just three numbers to talk to each device, and at least at the St. Regis, the addresses turned out to be sequential based on the rooms.
The IP addresses for each device were also sequential, and after researching the setup in just four rooms, he was able to infer the addresses for each device in every guest room. He could easily have written a script to control multiple devices at once. "I could have changed every channel in every room so everybody could watch soccer with me," he says, "but I didn't."
He did, however, cause the "Do Not Disturb" lights outside the rooms on his floor to blink like a heartbeat.
Molina found the security problems by chance, while staying at the hotel last year on a business trip for a Chinese firm. He got curious about the iPad in his room and decided to record its traffic. Initially, he did nothing with the data, but when he returned to the St. Regis earlier this year, he decided to see what he could find.
He stayed in four different rooms---asking hotel staff to move him three times because he said he didn't like the rooms---and examined the systems over two days. He also wandered the hotel with a couple of antennas in his bag to record the commands coming from iPads in other rooms.
He suspects the system might have controlled other things outside the guest rooms, such as lighting on the hotel grounds. That's because in his research, he uncovered a number of mysterious device addresses that didn't seem to belong to any guest rooms. He decided to limit his testing, however, since he didn't want to frighten guests or get a visit from Chinese authorities.
A half hour after he sent commands to one of the mysterious addresses to see if it might disable his door lock, someone knocked on his door. "My heart was racing, I thought they were coming for me," he says. It turned out to be a staffer asking if he had any laundry to clean. "I may have set off the laundry button."
Molina reported the problems to the hotel's chief security officer, who acknowledged the issues existed and has been working diligently to fix them. It isn't an easy task. "They have to take down the whole system," Molina says. "They have to rewire everything and redo the information of every room. It's not a bad thing that they did it wrong. At least they have been very open to fix all the problems."
He is not sure how far the problem extends at the St. Regis beyond the devices he was able to control. The hotel assured him the digital butler doesn't control the room locks, and he found nothing so far to indicate it does. He's also not sure if the same issue exists at other hotels in the chain. The St. Regis is owned by the Starwood chain, but the CSO told Molina not all the hotels use the same system for guests.
The problem doesn't end in fancy hotel rooms, though: The insecure KNX protocol is increasingly being used for home automation systems as well. "People are reusing protocols that are not meant for the Internet of Things," Molina says. "Using protocols like KNX for home automation makes no sense for wireless. This guerrilla war we're playing with the Internet of Things can get dangerous. This is not something I say lightly."
