How to hack a hotel: security researcher takes control of all light switches, TVs and curtains in London hotel

A security expert staying in an unnamed London hotel has shown how he can easily hack into the communications protocol to control the light switches, TV and curtains curtains in every room.

Matthew Garrett, who was staying in London to attend the KubeCon event, started to play around after he noticed that the hotel had replaced conventional light switches with Android tablets.

He explains in a blog post in full detail how he easily hijkached into the system by setting up a transparent bridge using USB ethernet cables, plugging his laptop between the tablet and the wall, and analysing the traffic between the two.

> See also: How to do secure Wi-Fi in the BYOD and IoT era

An analysis using popular protocol analyser Wireshark reveaked that the tablet was using a 'trivial' protocol that required no authentication, and was able to take full control of many of the room's functions, controlling my lights, turning the TV on and off and even making my curtains open and close. 

It was then that he noticed that the first three numbers of the IP address corresponded to room number.

'It's basically as bad as it could be,' said Garrett. 'Once I'd figured out the gateway, I could access the control systems on every floor and query other rooms to figure out whether the lights were on or not, which strongly implies that I could control them as well.'

Although the exploit doesn't represent a serious breach in itself, a prankster could easily cause havok with other guests' room controls, or use the information in more sinister ways.

'Jesus Molina talked about doing this kind of thing a couple of years ago, so it's not some kind of one-off,' writes Garrett. 'Instead, hotels are happily deploying systems with no meaningful security, and the outcome of sending a constant stream of 'Set room lights to full' and 'Open curtain' commands at 3AM seems fairly predictable.'

> See also: IoT mythbusting 101: even thte most trivial device could present a data security risk

This is just the latest security debacle that has put the security of the Internet of Things (IoT) in question, showing the dangers of throwing in IoT technology for the sake of it without even the most basic security considerations.

The IoT has already arrived and is set to become even larger and more pervasive in the near future as more devices are connected to the internet, from lights to thermostats to baby monitors, surveillance cameras and garage doors.

But establishing common security standards amongst all these devices will be a huge challenge. Already, the fragmentation of so many Android devices and versions shows the difficulty of this, with serious security exploits constantly being uncovered that can take months to patch.

As Garrett puts it bluntly: 'we're doomed.'

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics