At a Black Hat 2014 session, one hacker revealed how he was able to control basic amenities in a luxury hotel – and why the hospitality industry must update its security policies to take into consideration Internet of Things threats.
On Wednesday afternoon, Jesus Molina, a San Francisco-based security consultant, detailed his findings at a talk called “Learn How to Control Every Room at a Luxury Hotel Remotely.”
While staying at the St. Regis Shenzhen five-star hotel in China on a business trip, Molina discovered that he could control room devices in over 200 rooms, which were managed by an iPad app called “digital butler” available to all guests.
By reverse engineering an insecure home automation protocol called KNX/IP (which is used widely in China), Molina was able to switch on a light bulb in his own hotel suite. From there, he determined that other room features, like television control, opening and closing blinds and temperature settings, were in danger of being commandeered as the iPad was installed in each guest's room.
Molina revealed that it was easy enough to write a script for the remote control of numerous room devices, since device KNX addresses were associated, or sequential, with room IP addresses. In addition the KNX automation system was insecure, sending traffic over an open wireless network.
During the session, he said that he “did not hack” the automation system, but simply “abused” the KNX protocol, which was created back in the early 90s.
Ahead of Molina's Black Hat talk, a St. Regis spokesperson told the South China Morning Post last week that it had “temporarily suspended the control system of the in-room iPad remote controls for system upgrading,” but that Molina's claim that he took over the automation system was “unsubstantiated.”
During the Wednesday session, Molina played a video of himself making a light in his own room come on using the discussed methods.
He also stressed that the KNX protocol (considered an open standard) was only available for download for €1,000 online when he searched for it, and that the information should be “open” to the research community for future testing.