A Linux developer staying in a hotel for a conference has found, with very little experimentation, that he was able to use the establishment’s innovative Android-based room lighting controls to hop onto the network and gain access to the environmental controls in every other room in the hotel.

Matthew Garrett, a security developer at CoreOS, arrived in London for the KubeCon conference, centred around the Kubernetes open source deployment system, to find that his (unnamed) Avant-garde hotel had replaced conventional light-switches with Android-based tablets, one of which was embedded into the wall, with the others loose and bearing Ethernet cables.

Garrett’s slight annoyance at simple, working technology (light-switches) being replaced by complex and potentially exploitable OS-based technology led him to see if there was a way into the system. He used two Ethernet adaptors to set up a transparent bridge, interposing his own computer between the devices and the host system, and used the network protocol analyser Wireshark to monitor activity.

android-hotel-light-switch-systemGarrett found that the environmental system was governed over TCP by the commonly-used Modbus [PDF] protocol, developed by Modicon (now Schneider Electric) in 1979. Garrett then used the Python-based PyModbus framework to begin controlling his own room lights, and to make his own curtains open and close.

It then occurred to him that he could potentially do the same for any room in the hotel. Curious as to the IP address controlling his room, he found that it was actually based on his room number:

“And then I noticed something. My room number is 714. The IP address I was communicating with was 172.16.207.14. They wouldn’t, would they?
I mean yes obviously they would.
It’s basically as bad as it could be – once I’d figured out the gateway, I could access the control systems on every floor and query other rooms to figure out whether the lights were on or not, which strongly implies that I could control them as well.”

Since he would not be able to find out the results of tampering with other residents’ rooms except by causing great mischief, Garrett left it there, but notes the prior work of Jesus Molina, who presented the paper Learn How To Control Every Room At A Luxury Hotel Remotely: The Dangers of Insecure Home Automation Deployment [PDF] at DefCon 22 in 2014.

Thanks to The Stack’s security editor Richard Morrell for flagging up this story.