SAN FRANCISCO — It was surprisingly easy, Jesus Molina discovered, to take control of the home automation network in a 5-star hotel and then control every room from his laptop.
Molina, a security researcher from San Francisco, described this feat at the Black Hat security conference in Las Vegas. His talk illustrated the perils of connecting dumb devices to the Internet — the so-called Internet of things — without first thinking about security.
Molina stayed at the 5-star St. Regis hotel in Shenzhen, China. In the room, he found an iPad. It controlled all of the features, such as the drapes, temperature, television, and lights. He investigated the device and found he could easily hack it.
“I controlled 200-plus rooms of a 5-star hotel by abusing an insecure home automation protocol,” Molina said.
The iPad was open to inspection and tampering. The automation protocol was not secure. Molina discovered that the system used software known as KNX/IP. Created in 1990, KNX is popular building automation protocol in China and Europe.
The iPad sent information to the KNXNet/IP router. In turn, that device send instructions to lightbulbs, TVs, and other things. Because it had no security, Molina could see that he could figure out the Internet protocol addresses for each room and the devices in it. To verify his information, he switched hotel rooms.
The first room he moved to was beautiful, but it had no iPad. So he asked to be moved again. He inferred the pattern for the addresses for every device based on the changes from room to room. Then he figured out how to send commands on the network and sent them. He filmed himself turning on the lights in a room in another part of the hotel. He also sent a signal, which he called a “heartbeat,” that verified to him that he could control every room in the hotel.
In China, Molina could have gotten into big trouble hacking into a hotel’s network. Although he was fearful about the repercussions, he talked to the Starwood chain about what he had done. He talked with the chain’s chief information officer. The hotel chain decided to take down the network, and Molina doesn’t know whether it would put it back up.
“They have taken steps to modify the policy so it cannot be done in other hotels,” he said. “We had some tension. I had a lawyer. It turned out happy.”
As to what he learned, Molina said, ” Protocols and security policies cannot be an afterthought. Guest security cannot be an afterthought.”
When it comes to the Internet of things, Molina is worried. He isn’t sure what the worst thing that can be done by hackers who gain access to everyday devices. So he asked a question.
“If I were able to control every device in your hotel room, will you move to another hotel tonight?”
He added, “The problem is we don’t care. More physical devices are doing these things. But what about privacy? The worst that could happen is that we don’t care. Welcome to 2084.”