[ISN] Infrared exploits open the door to hotel hacking

InfoSec News isn at c4i.org
Wed Aug 3 06:05:51 EDT 2005


By John Leyden
2nd August 2005 

Insecure hotel infra-red systems create a means for hackers to read
other guest's emails, watch porno films for free and put false charges
onto other guest's accounts. Adam Laurie, technical director at secure
hosting outfit The Bunker, was able to demonstrate the attacks to
Wired prior to giving a talk on the vulnerabilities at last week's
DefCon conference in Las Vegas.

Using only a laptop and a USB TV tuner, Laurie was able to use an
infrared connection to a hotel's web-enabled TV to tune into data that
the backend system is broadcasting but he shouldn't be able to
receive. In this way he was able to view premium content, access
backend billing systems and view emails of guests who accessed web
mail services via their TV. He was also able to access the desktop of
backend computers and launch applications. "No one thinks about the
security risks of infrared because they think it's used for minor
things like garage doors and TV remotes," Laurie said. "But infrared
uses really simple codes, and they don't put any kind of
authentication (in it)... If the system was designed properly, I
shouldn't be able to do what I can do."

"As far as the hotel is concerned, you're the only person who can see
(your bill). But they're sending your confidential data over the air
through a broadcast system. It's the equivalent of running an open
wireless access point. If I tune my TV to your channel, then I get to
see what you're doing," Laurie told Wired.

Infrared systems are used throughout hotels in air conditioning
systems, vending machines and many other pieces of equipment but it's
their use in hotel TV systems that connect to backend and billing
systems that represent the greatest scope for mischief. Laurie said
that many hotel infrared systems are rolled out with password controls
or back-end authentication that would frustrate exploitation. Data is
commonly stored and transmitted in the clear without protection from
encryption. Because most hotel use similar systems from a small number
of suppliers, Laurie has been able to replicate the attack across the
world over the last two years.

Laurie discovered the security loophole when he was "mucking about
with hotel TVs to get the porn channel without paying for it". Tuning
into content that's been broadcast but a hotel TV is not configured to
receive is one thing - and might be carried out by tuning in a VCR -
but Laurie was able to take this further by deciphering the codes
transmitted from a remote control device to a TV. Laurie has created a
program to analyse and map the codes and a script to test out their
effect when sent to his TV. He did this for research purposes and
doesn't plan to release the tools.

As more devices become network enabled the scope for hacking
increases. Laurie's work shows the issue is not just confined to
devices connected to the web. Infra-red (and conceivably Bluetooth)  
connected systems might also be exploited. ®

More information about the ISN mailing list