back to article Hotel light control hack illuminates lamentable state of IoT security

An attendee at the KubeCon Kubernetes conference in London has exposed a serious lack of network security in the hotel where he was staying. Matthew Garrett, a security researcher for CoreOS and a board member of the Free Software Foundation, was in his hotel when he noticed the establishment had replaced the light switches …

  1. Roq D. Kasba

    Toys

    Being able to control lights from a tablet in your room is just toys for the sake of toys. You're in the same room as the light you're controlling, and bedside switches actually work perfectly well, having a powerful microprocessor wasting clock cycles to turn lights off and on is just wasteful.

    Worse, though, is that if they used generic devices, those devices have other sensors, including microphones and cameras, potentially. Maybe these ones didn't, but you can bet some will, and still have a poorly configured network.

    And finally, if I go into a hotel freshly refurbished with toys, they'll mostly work and be mere chrome. If I go into one that's coming up for a refit, those toys will be embarrassing - what was once cutting edge bluntens rapidly. I had a room the other day which had a SD TV system which also offered a wireless infrared keyboard for using the built in browser which couldn't cope with being a TV, let alone a web client. Right now, I'm in a pretty decent room, technically with a view of Westminster Palace, the desk had evidence of once housing a SCART interface, and I've got a CD alarm clock, presumably for the one guest in a million who brings their own CD's to a hotel. It would have been a nice touch a decade ago, but tech dates so fast that I'm more impressed by seeing the centuries-old top few feet of Big Ben than what would have been an achingly hip refurb some years ago.

    1. Gavin King
      Headmaster

      Re: Toys

      I agree with everything you've said, except that Big Ben (the bell) was only cast in 1858, and the building was finished somewhat after that (as far as I can tell).

      1. Roq D. Kasba

        Re: Toys

        Yes, actually I'm aware it's Gothic revival architecture, but for the sake of narrative flow, I made the choice to simplify ;-)

    2. aberglas

      Re: Toys

      " having a powerful microprocessor wasting clock cycles to turn lights off and on is just wasteful."

      Nonsense. The computer can record when you have lights on and off, and which ones, which it correlates with the door opening and closing. This can provide detailed insights into your habits and preferences. The data could even tell Walmart when you're lady will be pregnant. Data is money.

      (On that Walmart/pregnancy bit, why did Walmart not just ask the checkout operators to look at women's tummies rather than needing all the clever data analysis!)

      1. Michael Wojcik Silver badge

        Re: Toys

        On that Walmart/pregnancy bit, why did Walmart not just ask the checkout operators to look at women's tummies rather than needing all the clever data analysis!

        If you're referring to this, it was Target, not Walmart; and the shopping in question may well have been online.

        More importantly, perhaps, it may not have happened at all. The story comes from an anecdote told by Andrew Pole, one of Target's data scientists, and has not been corroborated, as far as I can tell.

        It's not that it would be particularly difficult to do this, from a machine learning / predictive analytics perspective; it's just that it's probably not a particularly effective tactic. See this for more information.

  2. Anonymous Coward
    Anonymous Coward

    Let there be light!

    Well, the guy's name was Jesus!

    1. TonyJ

      Re: Let there be light!

      "...Let there be light!

      Well, the guy's name was Jesus!..."

      To be fair, I think credit there goes to his dad for that statement. 6,000 years ago or something?

      1. Steve Aubrey

        Re: Let there be light!

        Colossians 1:15-16a

        He [Jesus] is the image of the invisible God, the firstborn over all creation. For by Him were all things created . . .

        Jesus FTW!!

  3. Anonymous Coward
    Anonymous Coward

    el reg FUD machine in full gear

    This has nothing to do with IoT. This is a common issue when people design systems that are meant to be isolated: "nothing except our devices are going to be talking on this network so we don't need to worry about client authentication, tempering etc".

    Hint guys the I in IoT stands for "internet" which is that network you can download porn etc from outside of your own house and not the network you use to transfer porn to and from your NAS or whatever. If you had taken a few moments before winding up the FUD machine you would have noticed that the IP addresses he was messing with aren't on the internet.

    1. Pompous Git Silver badge

      Re: el reg FUD machine in full gear

      Hint guys the I in IoT stands for "internet" which is that network you can download porn etc from outside of your own house and not the network you use to transfer porn to and from your NAS or whatever.

      That's news to me. When I learnt my TCP/IP the hotel's network was referred to as an internet. The Internet (note the capital I) was the network we used gopher and FTP and other exciting things on. Email and newsgroups also come to mind.

      1. Anonymous Coward
        Anonymous Coward

        Re: el reg FUD machine in full gear

        If a single network is called an internet what are multiple connected internets called? interinternets?

        1. Pompous Git Silver badge

          Re: el reg FUD machine in full gear

          what are multiple connected internets called?

          An internetwork.

          1. Anonymous Coward
            Anonymous Coward

            Re: el reg FUD machine in full gear

            So two LANs that are joined by a gateway are an internetwork of internets then?

        2. maffski

          Re: el reg FUD machine in full gear

          <i?what are multiple connected internets called? interinternets?</i>

          extrainternets

        3. Chemical Bob

          Re: el reg FUD machine in full gear

          "what are multiple connected internets called?"

          A tangled World Wide Web...

      2. DropBear
        Facepalm

        Re: el reg FUD machine in full gear

        ...I have this word stuck in my mind but I have no idea what it could possibly mean: "INTRAnet"...

      3. Alan Brown Silver badge

        Re: el reg FUD machine in full gear

        > That's news to me. When I learnt my TCP/IP the hotel's network was referred to as an internet.

        Correct

        > The Internet (note the capital I) was the network we used gopher and FTP and other exciting things on

        Also correct.

        To add to the confusion, Amway referred to their MLM sca^Mheme as "internetworking" which led to all sorts of interesting snail mail coming to early internet service providers.

        1. no-one in particular

          Re: el reg FUD machine in full gear

          > > That's news to me. When I learnt my TCP/IP the hotel's network was referred to as an internet.

          > Correct

          The hotel's network is just a network (e.g. a LAN), surely, unless you can demonstrate that they've got, say, multiple LAN's with routing to supply the "inter" and make it an internet?

          1. Pompous Git Silver badge

            Re: el reg FUD machine in full gear

            surely, unless you can demonstrate that they've got, say, multiple LAN's with routing to supply the "inter" and make it an internet?

            Actually, I don't need to demonstrate anything. The training manual I had described the illustrated token ring network as "an internet", the inter part being the cabling between individual computers. Connecting different networks with bridges and gateways came later in the manual. Sadly I cannot recall the book's title and it was passed on to someone else at least 16-17 years ago. Clearly, Alan Brown recalls learning the same.

            The Internet was a very different place in those days although changing because of the web. Sadly, in many ways not for the better. Mind you, I was pretty excited when being trained over the web for my w95 certification. Scholars.com had only just been founded and my tutor (the owner of the business) used to sit at the edge of the lake in Canada where he lived with his feet in the water and a laptop. Happier days...

            1. Michael Wojcik Silver badge

              Re: el reg FUD machine in full gear

              The training manual I had described the illustrated token ring network as "an internet", the inter part being the cabling between individual computers.

              Then that manual was wrong, insofar as it was misusing a term of art.

              The distinction between a "network" and an "internet" of connected networks was rather muddled at least through the late 1970s, at least in the ARPANET / NCP / IP world. (I haven't looked into whether proprietary networking schemes like SNA ever used the term "internet" in their official specifications.)

              However, as far back as Cerf's 1973 draft on an "International Transmission Protocol", we have clarifications such as this:

              Let us begin with the assumption that we want to interconnect several distinct, resource-sharing computer networks. Each of these networks connects together HOST computers whose resources can be shar[ed] among the users of the network. If we are to achieve a similar ability between HOSTS residing in different networks, we must find a w[a]y for a HOST in one network to reproduce,without alteration, a stream of messages originating [f]rom a HOST in another network. This is a primitive but essential necessity, and the mechanism we devise to do this will be called the International Transmission Protocol.

              This "International Transmission Protocol" eventually became IP, when IP was split apart from TCP. Before that, though, we have RFC 675 in 1974, which defines the "INTERNET TRANSMISSION CONTROL PROGRAM" in terms of an "INTERNETWORK PACKET". Again, the emphasis is on routing between networks; see the descriptions of gateways, etc, in the RFC.

              The distinction is enshrined in all the most-authoritative descriptions of TCP/IP networking, such as Tannenbaum's Computer Networks (see page 36 in the 2nd ed); Stevens' TCP/IP Illustrated (v 1, p 4); Comer's Internetworking with TCP/IP (v 1, pp 52-53); and Stallings' Data and Computer Communications (p 422).

              1. Pompous Git Silver badge

                Re: el reg FUD machine in full gear

                I often used WINS (Windows Internet Naming Service) for routing back in the 90s. It may have been "wrong", but it worked quite well. Out of curiosity, what did you use for NetBIOS name resolution?

    2. Eddy Ito
      Pirate

      Re: el reg FUD machine in full gear

      Why is this FUD? Because IPv4 addresses behind NAT are invulnerable?

  4. Pompous Git Silver badge
    Paris Hilton

    If the android was called Anita and the tech was silky smooth rather than cutting edge, I might be very interested indeed :-)

    1. Anonymous Coward
      Anonymous Coward

      Cutting edge android

      reminds me of Philip K Dick's Second Variety

    2. heyrick Silver badge

      Just don't try to hack Anita. Bad Things Happen.

  5. Steve Davies 3 Silver badge

    IoT - Idiots or Twats. You choose

    given the current state of it (Still an answer askibng for a question IMHO) anyone deploying this is just asking to be hacked/pron'd/cloned/whatever.

    Security? What security.

    Come on let us know the name of the Hotel. Then we can avoid it. Not really as none of us tightwads can afford central London Hotel prices (£300+ per night).

    1. Voland's right hand Silver badge

      Re: IoT - Idiots or Twats. You choose

      Why avoid it. I would love to have a conference there.

      Just post the python code to mess with the system on the conference mailing list on the first day.

      Then sit back, relax, enjoy the show.

    2. Roq D. Kasba

      Re: IoT - Idiots or Twats. You choose

      £300+/night? You need a better travel agent. The achingly hip K West, for instance, is regularly available around the £130 including taxes mark, the Dorsett nearby is even less, including breakfast, both 4*. I've just paid £152 for a night at CQ on Trafalgar Square, and that's only because town is especially busy this week.

  6. chivo243 Silver badge

    Looks to me

    like a sales drone swooped in and talked to the luddite manager who's secretary does all of his "internet" stuff for him. The manager fell for the sales pitch hook, line and sinker. The company sent in their own guys to set up the system, and the onsite tech guys could probably care less as it's outsourced, and not their circus, not their monkeys...

  7. Anonymous Coward
    Anonymous Coward

    All that capability..

    .. and he didn't play Tetris?

    Honestly, what is happening to the hacker sense of humour?

    :)

    1. LesB

      Re: All that capability..

      Wish I could give you more than one upvote for that :)

    2. Darryl

      Re: All that capability..

      That's cool and all, but I still have a problem with plugging in a bunch of colour changing LEDs and sticking them in the windows being called 'hacking' the building.

      1. Captain DaFt

        Re: All that capability..

        From hackaday.com:

        "Hacking is an art form that uses something in a way in which it was not originally intended. This highly creative activity can be highly technical, simply clever, or both."

        1. Fred Flintstone Gold badge

          Re: All that capability..

          This highly creative activity can be highly technical, simply clever, or both.

          What I miss in there are words like "amusing" and "funny". Sometimes the very idea is mad enough to follow up - no extra motivation required.

  8. Anonymous Coward
    FAIL

    This is not by any means amongst the worst

    Follow #internetofshit and it's littered with pointless devices design by morons.

    Take the wi-fi speakers that have no authentication. Stream you music to your neigbours speakers at full volume at 3am. The companies answer? We have no plans to change the way it works, as it's open for simplicity.

    I kid you not.

    Lets not forget the tv's that do a 30 minute update in the middle of a program you are watching. How about the lightbulb holders that did a firmware update to force you to use their light bulbs? How about the microwave oven that doesn't work properly without a wi-fi signal (anyone see any issues when it decides to connect at 2.4ghz)....and on and on and on....

    1. chivo243 Silver badge

      Re: This is not by any means amongst the worst

      @Lost all faith...

      "anyone see any issues when it decides to connect at 2.4ghz"

      I'm no expert, but I play one on TV, if the microwave is working on 2.4 and trying to connect to 2.4, you might as well be boiling water in the microwave...

  9. allthecoolshortnamesweretaken

    Welcome

    to the wonderful world of Computer Aided Burglary!

  10. Alister

    what a missed opportunity:

    to hack a bit of code to send messages across the Hotel frontage by turning the lights on and off in sequence...

  11. djack

    Door Security Still an Issue

    I think that every hotel I've been in that has fitted 'new' contactless card door locks have been using Mifare Classic cards.

    These things have been known to be horribly and disastrously broken for the past ten years. It only takes a couple of minutes to discover the encryption keys on the card. From there it only takes a couple of seconds access to copy all the data off an 'master key' card issued to staff. Drop that data onto a blank card and you can access any room in the hotel

    IMO any company still selling these (MiFare Classic - there are many other more secure options) as a security measure should be prosecuted under some form of fraud or gross negligence law.

    1. Roq D. Kasba

      Re: Door Security Still an Issue

      Yep MiFare Classic is OLD. And as good as free now, I bought 100 MiFare paper stickers for $7 delivered, just to play with.

  12. Anonymous Coward
    Anonymous Coward

    Jesus Molina

    Was always going to do something really cool... nominative determination and all that!

    1. Jimbo 6
      Coat

      Re: Jesus Molina

      I always wondered where the phrase "Holy Moli" came from.

  13. Anonymous Coward
    Anonymous Coward

    Modbus: old as the hills. Modbus/TCP's holes, almost as old.

    Modbus goes back to before local area networks were invented. Seriously.

    Some Modbus-over-TCP holes appear to be almost as old, e,g, this from 2004:

    http://www.theregister.co.uk/2004/10/08/cyber_threats_menace_factories/

    Learning from history is a good idea in general. Why doesn't the IT industry believe in it? Obvously new shiny is more interesting for marketeers and (most) developers than fixing new broken stuff. Maybe customers (and insurers) will catch on one day. Preferably before something goes seriously wrong and serious casualties occur.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like