Capsule hotels aren’t common in the US, but those who’ve traveled in Asia, especially Japan, may have encountered them. Instead of a room, you get a tiny capsule, barely bigger than the one-person bed. On checking in to such a hotel, Kya Supa, security consultant for LEXFO did what any security researcher would do—he hacked the system.
Your home away from home in a capsule hotel is effectively a collection of Internet of Things devices—like an iPad that controls lights, ventilation, and even the position of the bed. At the Black Hat conference in Las Vegas, this security ninja explained how he managed to “take control of all bedrooms and get revenge on a loud neighbor.”
Exploring the Internet of Things
Supa observed that you enter a hotel floor using an NFC badge and control the room with an iPod touch. “What about the security of all this,” he said. “The iPod is connected using Bluetooth and Wi-Fi. There must be a way to communicate. I thought it was pretty cool. Maybe I could hack it and control the hotel!”
Supa’s motivation ramped up when an unruly fellow in a nearby room insisted on making loud phone calls at 2 a.m., even after being asked to desist. He figured hacking the system could let him play tricks on the annoying neighbor, who he called Bob.
As a kind of reconnaissance, he inventoried all the connected devices in the room. He found a wall-mounted emergency light intended as an earthquake warning. More interestingly, he found a remote from the Nasnos company that uses radio waves to control curtains, lamps, and ventilation. And he found a servomotor designed to convert the bed to a sofa and back, controlled by the Nasnos device.
Supa couldn’t see it, but using his own devices he detected that each room had a Nasnos Wi-Fi router embedded in the room’s wall. This router takes a Wi-Fi signal and converts it to radio-wave commands, so you can use your smartphone in place of the remote.
Exploiting All the Things
“Now that we know what’s there, we can exploit it,” said Supa. “The iPod touch app lets you change the position of the bed, control the lights, turn the fan on. But I couldn’t exit the application or turn off the iPod.”
With a little research, he discovered that the iPod was under control of a feature called Guided Access. The point of Guided Access is that you can lock the device to run a single app and then safely hand it off to a child. You can’t turn off the device to get out of that mode, but he found that you can run the battery to zero and restart, which is just as good.
With full access to the iPod, Supa determined that the Nasnos network uses the outmoded WEP encryption system for security. He ran through numerous possible ways to break that encryption, but wound up learning enough about the WEP key to crack it using a brute force attack.
By setting up a man-in-the-middle situation using a laptop, he was able to capture exactly what commands signaled each of the remote’s actions. With that information in hand, he could emulate those commands, not just for his own bedroom but for any of the hotel’s 119 cubbies. Well, after finding a way to crack the keys for all of them.
What About Bob?
Supa didn’t forget that annoying neighbor. With WEP keys for all the rooms, all he needed to know was which key matched Bob’s room. To make that connection, he waited until the hotel’s denizens went about their business and then started turning lights on and off with each available key, until he hit the right room. “I wrote a script that ran all night, changing his bed into a sofa and back, turning the lights on and off,” laughed Supa.
Supa concluded by pointing out that he needed six distinct vulnerabilities to gain control of all the bedrooms. He contacted both Nasnos and the hotel with his findings. Happily, the hotel took the issue seriously and switched to a new (and more secure) architecture. As for Bob, well, he probably believes in ghosts now.
