back to article Cracker takes control of 200 rooms in Chinese hotel

A security consultant staying in the St Regis hotel in the Chinese city of Shenzhen got bored one night and successfully commandeered the controls of 200 rooms thanks to an insecure automation protocol. Jesus Molina, a former chair of the Trusted Computing Group and independent security consultant, was staying in the hotel and …

  1. Anonymous Coward
    Anonymous Coward

    Wait, what?

    Are we to believe this highly motivated supergeek cracked open a hotel's furniture control system, thru a found iPad no less, and DIDN'T use this new power to have a little fun, before informing hotel staff? Yeah right.

    1. big_D Silver badge

      Re: Wait, what?

      While waiting for his 4th room move, he stood outside and plugged the lighting script into iTunes and watched the pretty patterns on the front of the hotel.

    2. Anonymous Coward
      Anonymous Coward

      Re: Wait, what?

      Power? He's lucky he wasn't tossed in the clinker.

  2. Gene Cash Silver badge

    That's RACIST!

    Over here "cracker" is a very racist term...

    What's that, Mr. Clarkson? Yes, I'll go along quietly...

    1. Lionel Baden

      Re: That's RACIST!

      Upvote & Beer :D

    2. Hud Dunlap
      Thumb Up

      Re: That's RACIST!

      Very common term in Florida.

  3. frank ly

    An interesting application

    It might be interesting to remotely open all the blinds of the hotel across the road.

    1. Anonymous Coward
      Anonymous Coward

      Re: An interesting application

      If you opened my blinds while I was parading around my room in the buff you might wish you hadn't...

      1. Mark 85

        Re: An interesting application

        But for every 50 like you and the rest of us lot.. there's probably one window that would make it all worthwhile.

  4. Amorous Cowherder

    The lesson to be learned here...

    Don't let techies get bored in hotel rooms 'cos we'll seriously bugger up your, ermm, blinds!

    1. qwertyuiop

      Re: The lesson to be learned here...

      OK... so you get your kicks by buggering the blinds... Each to their own. I'm not judging you, it just wouldn't do it for me!

  5. Anonymous Coward
    Anonymous Coward

    A certain...

    Hotel I stayed at in Hong Kong has a flaw in its network.

    Each room has its own TP link wifi router set to have the same password in each room.

    The IP addresses correspond to the floor and room number and DHCP is done on the wifi routers. Too easy to do a MITM attack there.

    I also found a passwordless router in a resort on Koh Jum in Thailand...

    Its common practice to have poor security in the far east.

    1. Anonymous Coward
      Anonymous Coward

      Re: A certain...

      Many (most?) WiFi hotspots throughout the world don't require a password, before WiFi people plugged directly in to the hotel guest network with a cable. All public networks whether they have a password protected router or not should be considered unsecure, that is why we have SSL and the like (although el Reg still chooses not to allow logins via HTTPS for some bizarre reason!).

      Not sure why that is particularly poor security and why it is considered to only be applicable to the "far east". Would you suggest that each user is issued a client side certificate that is created by a third party trusted entity every time someone checks in?

    2. AndyS

      Re: A certain...

      Let's not limit this to the far East. I stayed in a boutique hotel in Geneva, and the internet was down. I reported it, and they said the IT guy would be in later. So I had a poke around at, logged in with the old gem of 'admin/admin', and reset the router. Hey presto, working wifi throughout the hotel.

      1. Stretch

        Re: A certain...

        You're a fool. You should have whitelisted your mac and turned it off for everyone else.

  6. Lionel Baden


    Is Windows Blinds available on the iPad then ?

  7. Destroy All Monsters Silver badge
    Thumb Up

    I saw that trick in a movie with CIndy Crawford.

  8. Anonymous Coward
    Anonymous Coward

    Try reading the standard...

    The KNXnet/IP standard document does have a section on security considerations and suggests that access to networks carrying KNXnet/IP packets should be restricted. The standard document makes some laughable conclusions:

    "It is quite unlikely that legitimate users of a network would have the means to intercept, decipher, and then tamper with the KNXnet/IP without excessive study of the KNX Specifications. Thus the remaining security threat is considered to be very low and does not justify mandating encryption, which would require considerable computing resources." (KNX standard document 3.8.1, section 4.4)

    The KNX system essentially connects devices (e.g. blind actuators, dimmers, heating, air conditioning etc.) together using a low speed, powered serial bus. This twisted pair network can be connected to Ethernet via a gateway device - which simply translates KNXnet/IP packets into corresponding packets on the twisted pair medium. Gateways (depending on manufacturer) have limited functions to restrict access - however, to avoid this hotel's situation from arising, you'd need one gateway per room, and isolated KNX segments. There is no scope for authentication, nor blocking access to only certain devices.

    The hotel's implementation is flawed - as KNX can't authenticate clients nor stop data from being injected maliciously, another layer needs to be added to this kind of control system, for instance exposing certain functions via an authenticated web interface.

    1. Stoneshop

      Re: Try reading the standard...

      Gateways (depending on manufacturer) have limited functions to restrict access - however, to avoid this hotel's situation from arising, you'd need one gateway per room, and isolated KNX segments.

      What I read from his story is that the hotel indeed has one gateway per room, or a device that emulates one and does some IP address to KNX address mapping. Note that he changes the last octet of the transmitted IP address to control another room. That means he's communicating with another gateway device, which apparently has the same range of KNX addresses behind it..

      For a 200-room hotel a single gateway would be sufficient, even at 8 KNX addresses for sensors and actors per room If they want a bit more flexibility, and a setup usable across hotels of several sizes with up to several hundred rooms per floor, one gateway per floor would still be fine. In which cases the control app on the iPad takes its range of KNX devices to be controlled from the IP address associated with the room. Without further security lockdown both cases would still be open to the kind of hacking as was demonstrated here, though, but now requiring modifying the target KNX address instead of the IP address.

      In the case at hand, the hotel would need to start using VLANs so that the room's KNX gateway can only be seen from that particular room's access point, or the dedicated iPad.

      1. Anonymous Coward
        Anonymous Coward

        Re: Try reading the standard...

        Trust me - there would only be a handful of gateway devices for the whole hotel - each covering a number of rooms. They're simply too expensive to deploy for each room. If you wanted a physically isolated KNX network in each room, you'd need to add a power supply as well - again, the cheapest start at about £250.

        KNX addressing works on the basis of individual and group addresses. For instance, each device will have an individual address, for instance 1.3.112. This is a 16-bit value on the network. A group address (e.g. 2/0/11) is assigned to each function - e.g. blind up/down, temperature reading, light level etc. - and is again a 16-bit value. Installers are encouraged to allocate these numbers logically - for instance sequentially on each floor. The configuration tool (ETS) even does this for you. So to guess the address of a different function, you simply need to change the address in the packet - chances are you'll find something useful.

        What is really missing here is a communication gateway using well-understood security techniques. Instead of exposing KNXnet/IP to the masses, it would be much better to have (for instance) a web services gateway that employs user authentication and access control. KNX can never be secure - so why not use standard IT techniques to protect it?

        1. Stoneshop

          Re: Try reading the standard...

          KNX addressing works on the basis of individual and group addresses

          I know. I'm using KNX at home.

          If you wanted a physically isolated KNX network in each room, you'd need to add a power supply as well

          Nope. You need one humongous power supply (or a couple), and a set of chokes for each physical segment.

          . So to guess the address of a different function, you simply need to change the address in the packet

          Read the article. He changed the IP address he was communicating with, but maybe this has been mangled in the article.

  9. Anonymous Coward
    Paris Hilton

    Just as long as he didn't commandeer the vibrating beds!

    Because that would start a lot of "Jeez, dear. I'm not in the mood." conversations....

  10. david 12 Silver badge

    "Claims to be an open standard"

    That is an unjustified slur.

    Standards are expensive to buy. I wouldn't pay E1000 for the set of standards either, I'd just download some of the Open Source KNX software, but that doesn't mean that I think E1000 is unusual for an Open Standard: it just means that I already know that any ISO/IEC set of standards is 95% self-referential administrative overhead, and 5% incomprehensible.

  11. Fuh Quit
    Big Brother

    The Internet of Things is here!

    I would have been crying with laughter if I was him. Actually, maybe that's why he got the stern talking to from the manager.....for disturbing his neighbours each time he was moved :D

    It's also probably on the NSA list....we should ask Ed....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like