A vulnerability in many hotel television infrared systems can allow a hacker to obtain guests’ names and their room numbers from the billing system.
It can also let someone read the e-mail of guests who use web mail through the TV, putting business travelers at risk of corporate espionage. And it can allow an intruder to add or delete charges on a hotel guest’s bill or watch pornographic films and other premium content on their hotel TV without paying for it.
Adam Laurie, technical director of the London security and networking firm The Bunker showed Wired News how he conducted such attacks at hotels around the world before he was to speak about the vulnerability Saturday at the DefCon hacker conference in Las Vegas.
Laurie is known as Major Malfunction in the hacker community. He also revealed how infrared used for garage door openers and car-door locks could be hacked, using simple brute force programming techniques to decipher the code that opens the doors.
“No one thinks about the security risks of infrared because they think it’s used for minor things like garage doors and TV remotes,” Laurie said. “But infrared uses really simple codes, and they don’t put any kind of authentication (in it)…. If the system was designed properly, I shouldn’t be able to do what I can do.”
Ifrared is used in vending machines, scrolling LED public display signs, air conditioning systems, hotel minibars, robotic toys and home automation systems that control lighting and air conditioning from a console.
But hotel TV systems are the most serious target from a privacy standpoint because they are connected to databases that contain information about guests.
Laurie said the vulnerability lies with how hotels have implemented the backend of infrared systems, placing control of the system at the user end, where the TV is located, rather than at the server end with administrators.
Laurie found that the backend systems in many hotels around the world don’t have password protection or other authentication schemes to prevent unauthorized users from gaining access to them through the TV. And they fail to use encryption to protect data as it’s transferred and stored.
The only hardware an intruder needs is a laptop running Linux, an infrared transmitter and a USB TV tuner. Laurie said the attack can also be performed using the infrared port built into many laptops.
Plugging the TV into the tuner, which is the size of a laptop power pack, and the tuner into his laptop, Laurie is able to use his laptop to pick up content through hotel TVs that the backend system is broadcasting but not currently displaying on the TV.
“It’s the same as tuning your TV to multiple channels,” Laurie said. “(When you’re looking at one channel) the signal (for other channels) is always there, but you’re only currently looking at one part of the spectrum.” You don’t see what’s broadcasting on the other channels until you tune into them.
Laurie first discovered the vulnerability when he was “mucking about with hotel TVs to get the porn channel without paying for it.” He was able to bypass TV billing menus by using his laptop to tune in to the premium content being broadcast from backend systems. He didn’t have to pay for the content, because the systems didn’t know he was watching it.
Additionally, he could use hidden codes that transmitted from the remote-control device to the TV through infrared to control functions in the system. But finding those codes and determining what function each controlled wasn’t easy. It could take hours to decipher the more than 16,000 possible codes a TV remote uses.
But Laurie automated the process by using a program he wrote that analyzed and mapped all the possible codes in 35 minutes to see which ones were relevant for the system he was trying to crack. Laurie doesn’t plan to release the program.
Then he wrote a script that spit out codes to a TV to see what happened. Within an hour and a half, he had a list of codes that controlled things such as billing for the minibar and the room-cleaning status reports — a menu maids use to report when they’ve finished cleaning a room. Laurie could alter the reports with little effort.
In some hotels, the front desk can lock and unlock the minibar remotely, or maids can do it using a remote and an infrared receiver on the front of the bar. Laurie found he could do it, too. One day at a Holiday Inn, he accidentally locked the minibar while he was trying to find the commands that controlled it.
“Unfortunately, I did it before I got that beer out!” he said, pointing to a slide showing a can of suds taunting him through the minibar’s glass door. “That was motivation to find the other half of that code (to open it).”
He found he could also change filtering on the TV to block certain content or unblock other content.
By Kim Zetter
