14 DAY TRIAL // A former security researcher at Fujitsu Laboratories, Jesus Molina, described to his audience at Black Hat conference in Las Vegas this year how he found a way to control different comforts in a luxury hotel room in China.
While staying at the St. Regis hotel in Shenzen, Molina, now an independent security consultant, was provided a remote control for the various elements in the room, such as the lighting, temperature, music, do-not-disturb light, TV, and even the windows blinds.
The remote was under the form of an iPad2, which made him think of how the entire system worked. After some investigation, he discovered that everything relied on the home automation protocol KNX/IP, which contained significant security flaws.
Molina uncovered these glitches and was able to control the television sets in other rooms as well as everything else that could be handled by the iPad.
He said that the attacker could deploy a Trojan that would allow control of the rooms without having to be in the hotel; "he could be in another country," said Molina.
Although toying around with the room temperature or the TV set may sound like a good prank, the implications of a flawed home automation protocol are significant, as more and more hotels start to adopt this amenity.
Regular users could also integrate it in their home environment and without proper protection against outside damage attempts, the attack surface on an individual increases.
“The severity of these types of security flaws cannot be understated - from creating a chaotic atmosphere to raising room temperatures at night with fatal consequences - hoteliers need to understand the risks and liabilities they are exposed to by faulty security deployments,” said Molina in the presentation abstract.