The normal person is likely to only book one hotel room. If your family’s big — or you have some teens who’ll want to come and go at their leisure — then maybe that number increases to two. But a few hundred rooms? Well that’s hacker territory.
According to The South Morning China Post, a cybersecurity expert recently took control of far more rooms than he needed when he commandeered several hundred rooms via a cyber experiment.
Hotel Falls Victim to Its Own Technology
To understand how this hack took place, it’s important to outline some details about the hotel itself. It’s called The St. Regis Shenzhen, and it is in every way the picture of luxury. Located in the heart of Shenzhen, China, and only a short walk to a lake, the hotel is a 5-star business with 290 elegantly adorned rooms and a whole host of high-end amenities including a spa, wine bar and several restaurants.
But the outward fanciness of something often says nothing of the security of its infrastructure, as Jesus Molina discovered recently.
Molina, who does cybersecurity work as his day job, was staying at the hotel recently when he realized something: The whole enterprise would be exceedingly easy to hack. That’s because the hotel equipped each of its patrons with an iPad-based “butler” app, which allowed customers to have control over certain in-room functions like the TV, thermostat and lights. The fact that the app consolidates these different functions onto a single iPad screen makes it easier than, say, getting up to turn the lights on or walking over to the thermostat.
However, there’s a downside to the system, and it’s one that Molina picked up on quite quickly: If the “butler” system was virtually based, what was to prevent someone from breaching it and getting control over the basic functions of many different rooms? So that’s exactly what Molina set about doing. Molina’s undertaking was not a malicious one, but instead was done to prove a point — namely, that sometimes enterprises jump to leverage technology without implementing a suitable system of defense. Whenever technology outpaces means of security, that creates an inherent vulnerability.
“Hotels are particularly bad when it comes to security,” said Molina. “[They’re] using all this new technology, which I think is great, but the problem is that the security architecture and security problems are way different than for residential buildings.”
Molina proceeded to write a script that would enable him access to rooms beyond his own. Sure enough, he said, he soon had at his fingertips the means of controlling all of the hotel’s rooms. But fortunately for the hotel, Molina is a self-described “ethical hacker,” and he took his discovery straight to hotel administrators.
That Molina was able to breach the hotel’s “butler” system with such ease points to a clear failure in enterprise security. The hotel can consider itself very lucky that it was Molina staying there and not any of the innumerable malicious elements out there. After all, cybercriminals book rooms at hotels too.