Hotel Experience With Android Lightswitches

jones_supa writes: The hotel in which Matthew Garrett was staying at, had decided that light switches are unfashionable and replaced them with a series of Android tablets. In his tour to the system, one was quickly met with a glitch message "UK_bathroom isn't responding." Anyway, two of the tablets had convenient-looking ethernet cables plugged into the wall, so MacGyver began hacking. He managed to borrow a couple of USB ethernet adapters, set up a transparent bridge and then stick his laptop between the tablet and the wall. Tcpdump showed traffic, and Wireshark revealed that it was Modbus over TCP. Modbus is a pretty trivial protocol, and does not implement authentication. The Pymodbus tool could be used to control lights, turn the TV on/off, and even close and open the curtains. Then he noticed something. His room number was 714. The IP address he was communicating with was 172.16.207.14. They wouldn't, would they? Indeed, he could access the control systems on every floor and query other rooms to figure out whether the lights were on or not, which strongly implies that he could control them as well.

A solution in search of a problem..

[toonces33]

It just seems daft to me that this is just pointless complexity.

The software will only need to be tested once!

[MobileTatsu-NJG]

To the engineer's credit, at least he used a platform that won't require testing due to software updates!

Re:

[Locke2005]

The "problem" it is solving is energy efficiency; they can shut off everything in the room as soon as occupant leaves. Eventually it will become cheaper and more reliable.

Re:

[beelsebob]

But pretty much every one of those sensors doesn't work as advertised, and instead starts turning things off because you sat still in bed for too long.

power shutdown in hotels

[Anonymous Coward]

In a lot of hotels in Europe, you have to shove your key card into a receptacle near the door which turns on the power to the room.
(of course, most don't care what card you use, so if you want to leave the lights on when you leave, you use a keycard from some other place)
 

Re:

[Bert64]

But most annoyingly, shutting off the power means i can't leave something charging in the room while i go out somewhere.

Re:

[rpstrong]

Or a bottle of rec wine sitting on the air conditioner to properly chill (cellar temp) for dinner.

(One of those combined A/C and heater units, with a convenient horizontal grill. And I set it up at lunchtime, after the room had been cleaned - the maids were trained to turn the A/Cs off).

Re:

[ericloewe]

You're right. Maybe they could issue something to their guests that they can use to tell the system they're in the room. Maybe they could even be used to open the door!

Oh, wait, you're not right after all. You're just reinventing the hotel keycard switch, but with added complexity and dubious benefits.

Re:

[Known Nutter]

Oh, wait, you're not right after all. You're just reinventing the hotel keycard switch, but with added complexity and dubious benefits.

Most of the those switches activate when you stick anything at all into them...which totally defeats the purpose.

Re:

[ericloewe]

"Totally" is a severe exaggeration. Smartasses are never easy to deal with, but they do solve the problem 99% of times.

Also, most people don't just carry around random credit card-sized cards that they're willing to leave behind for a little added convenience.

Re:

[Jack Griffin]

Also, most people don't just carry around random credit card-sized cards that they're willing to leave behind for a little added convenience.

Are you sure about that? Every wallet or purse I've ever peaked into is full of pointless shit, mostly credit card sized. And every holiday I've ever been on we've always had a spare card to jam in the socket.

Re:

[bjwest]

Oh, wait, you're not right after all. You're just reinventing the hotel keycard switch, but with added complexity and dubious benefits.

Most of the those switches activate when you stick anything at all into them...which totally defeats the purpose.

They don't unlock the door unless the correct thing is stuck into them. Pretty simple to tie it into the same computer system.

Re:

[ericloewe]

The vast majority of switches is dumb. Just a card-sized slot and a switch.

Re:

[bjwest]

I highly doubt that. Any hotel that used a lock that is nothing but a card shaped slot with a physical switch that activates with anything remotely card shaped is inserted is just asking for a major lawsuit, and would be sued into bankruptcy within the first year of instillation. The majority of card readers these days are magnetic strip, those that are not use an older keycard with holes in it that activate mechanical switches in the lock in a similar manner to the tumblers in a keyed lock. Newer locks m

Re:

[ericloewe]

Not the door locks, the room's master light switch.

Door locks are a whole different thing that is only tangentially related.

Re:

[DavidRawling]

That's a ~95% solved problem and has been for decades. Room key on thick plastic block, block goes in a cradle inside the door, activating power to the room. Pull the key to leave and everything goes off.

Worked in the 90's at least when I started traveling for work, and it wasn't just in big city hotels then. Perspex blocks don't have to be smudge-free, don't need extra power of their own, won't break down, are significantly cheaper, can't be trivially hacked to screw with every other room in the hotel - no

Re:

[Megane]

Room key on thick plastic block, block goes in a cradle inside the door, activating power to the room. Pull the key to leave and everything goes off.

Do you know that most hotels in the US (I know TFA was London) use cheap magnetic credit cards (with a different encoding) as keys? I haven't seen an actual room key since at least a decade ago. I don't think attaching a brick to the key card will go over well with hotel guests or even the hotels themselves. Also, you can't use the key to tell when the room is occupied. If there are two guests in the room, and one goes out with the key, are you going to shut off TV and lights for the one staying behind?

In

Re:

[Intron]

I've stayed in a room where you had to put one of the cardkeys in a slot on the inside of the door to have power to the room.

Re:

[Xolotl]

You put the keycard (these days its more often chip based I think, but anyway) in the cradle by the door and it has the same effect (turn on/off thelights etc), usually except for one power socket which is used for the fridge. Two guests get two keycards so one is always in the room with them. Simple ... works this way across the world.

Re:

[Balthisar]

Hotels will usually give me an extra keycard when I ask, just so I can leave the room powered up when I'm not there. If I forget, a business card usually works well, too. Most of them don't have sensors; I'm assuming its a simple microswitch.

Re:

[Xolotl]

Yep, I use a business card too, that so far has worked in all but one hotel.

Re:

[mikael]

The Travelodge in Clapham Junction used (uses?) Ving card which have a random combination of 100 holes in them.

Re:

[grahamsz]

Wow, are they still around? I remember ving cards in the 90s but haven't seen one in probably 15 years.

Re:

[guruevi]

But doing it like that requires significant investment in extra wiring and zoning ordinances which depending on your electric code may not necessarily be either easy or cheap to implement/retrofit. Retrofitting some COTS "smart" switches on an Android would cost ~500-1000/room including labor, running new electric will cost at least 5-10x as much.

Re:

[nnull]

It already is cheaper and reliable, using just regular light switches. There are plenty of lighting control systems built for this purpose for hotels. This was just someone in management who thought it would be a cool idea to replace the light switches and whatever else with tablets, since those lighting controls have modbus TCP or Ethernet/IP where you can control it all from your computer. I mean, it's a cool idea, but needs more thought put into it for just serving as a light switch.

And in most cases,

Re:

[mikael]

Imagine having scrolling messages displayed on the outside of the hotel as different combinations of room lights went on and off. Even more fun if they used those smart LED lightbulbs that can be pre-programmed with a particular color out of range of 4096.

Re:

[nnull]

We don't have to imagine it, it's already going to happen, really soon! You know it will.

Re:

[Megane]

I've done development work on commercial lighting systems, and the system as described in TFA sounds like a total and complete toy. Unencrypted Modbus over TCP? Android tablets? IP addresses that clearly indicate which room is which? Sheesh. But again, that was in London, and the systems I worked on were for the US market with no effort toward international sales other than a nod to Canada (California's energy regulations drive a of the designs in the US lighting control business), so they probably just don

Re:

[nnull]

I doubt the control system is a toy. Hubbell, for example, is no small crappy company, in the US and they make commercial devices that work unencrypted on Modbus over TCP. Many of the lighting control protocols are unencrypted and unsecured, as an industry standard! In fact, many manufacturers do the same, not just Hubbell.

http://www.hubbell-automation.... [hubbell-automation.com]

Many of these protocols come from a long history in industrial automation where every source was basically "Trusted". It's going to take years for i

Re:

[vtcodger]

Luddite!

BTW, if I understand the situation correctly, the reason that we need IPv6 is so that we can all enjoy this and similar advanced technologies and can control our household lighting and curtains from anywhere on the planet.

The 1960s are looking better and better.(excepting that Vietnam thing of course).

Re:

[Daniel Matthews]

Unless you wish to turn the entire building into a digital disco ball.

Re:

[Misagon]

I would be more concerned with the room lights being used for displaying giant messages on the hotel's facade with one room per pixel.
Could be used to shame the hotel for sure.

The end scene of the movie Hackers comes to mind.

Re:

[Euler]

I'm all for avoiding needless complexity, but here are the tangible benefits:
1) Energy savings. You could ensure lights are not left on by housekeeping etc. when rooms are not occupied. Maybe a small benefit, but easy to automate.
2) You can turn on lights when someone checks in to make the room more welcoming.
3) Customers can turn off all the lights in the room from the bed. Maybe a bit of laziness, but helpful for someone not familiar with the layout of various light switches in the room.
4) Safety: in a

A timothy by any other name ...

[edittard]

The hotel in which Matthew Garrett was staying at

He should check his bill in case they charged him twice.

Re:

[epyT-R]

Oh. This guy? https://mjg59.dreamwidth.org/ [dreamwidth.org]

The one who forked the linux kernel in 'solidarity' with sarah sharp?

Wow

[RightwingNutjob]

See, this is what you get when you have wink-and-nod, everyone-gets-a-trophy education in the schools instead of teaching people not to be stupid by boxing them on the ears when they get out of line.

Re:

[DNS-and-BIND]

Uh, hello? That makes no sense. Right-wingers are the ones who believe in using physical violence to discipline children. Liberals are the ones who say that competition in schools creates 1 winner and 29 losers, leading to badfeels. Thus, every child needs a trophy. This is a well-known phenomenon, it's not like it appeared yesterday. Is this some kind of new Trump Derangement Syndrome, where people freak out and start injecting a politician into completely unrelated topics?

Hotel Cheaped out.

[Lumpy]

If they used a REAL control system this would not be the issue. but instead they tried to do it as cheap as possible using consumer crap.

Tablets at the light switches is insanely stupid as well. real automation lighting systems still have physical buttons at entryways and doorways for the lights.

Whoever sold this system to the hotel needs to be outed and publicly shamed.

Re:

[turbidostato]

"If they used a REAL control system this would not be the issue."

That's becoming interesting.

Are you implying they were using an UNREAL control system? Kindof... I don't know... Ghost in the Shell's Section 9?

"instead they tried to do it as cheap as possible using consumer crap."

Ohh... I see! But, you know, that doesn't make it an unreal control system, but a very REAL one.

"Whoever sold this system to the hotel needs to be outed and publicly shamed."

You know what a free market is, don't you? It is not ab

Re:

[toonces33]

I wonder whether someone like the FSB is the one that is selling the thing. It could make eavesdropping on people so much easier.

  But as you say - the hotel was dumb enough to actually buy it.

Re:

[stooo]

>>It's a slapdash bunch of crap stuck together
That's the definition of a system.

Re:Hotel Cheaped out.

[msauve]

"Whoever sold this system to the hotel needs to be outed and publicly shamed."

No, they should win salesman of the year. The shaming should go to whoever at the hotel didn't do due diligence, and bought the system.

Re:

[fgouget]

"Whoever sold this system to the hotel needs to be outed and publicly shamed." No, they should win salesman of the year. The shaming should go to whoever at the hotel didn't do due diligence, and bought the system.

I hope this is sarcastic because otherwise it sounds like you think every scam should be legalized and the blame put squarely on the victims.

Re:

[msauve]

Perhaps you should learn the difference between simple incompetence and scamming. Are you asserting that selling an insecure system is somehow illegal?

Re:

[fgouget]

Perhaps you should learn the difference between simple incompetence and scamming.

You implied the salesman knowingly sold an insecure system when you said he "should win salesman of the year". Otherwise he was simply incompetent, the buyer was incompetent, and neither should win any prizes.

Re:

[msauve]

"You implied the salesman knowingly sold an insecure system when you said he "should win salesman of the year".

I did no such thing. He should win it simply for selling a costly, high tech, high support solution in place of a wall switch.

Re:Hotel Cheaped out.

[thegarbz]

No, they should win salesman of the year. The shaming should go to whoever at the hotel didn't do due diligence, and bought the system.

They did their due diligence. It runs Modbus TCP. That's like an industry standard man. Everyone uses that. It must be good!

Re:

[Jack Griffin]

No, they should win salesman of the year. The shaming should go to whoever at the hotel didn't do due diligence, and bought the system.

Same goes for whoever is approving those smart elevator controls, you know the ones where the lift has no buttons, you type in your floor on a panel in the lobby, then get assigned a lift number? They are becoming more and more common and I always have a worse experience with them than the old fashioned up and down buttons with floor buttons in each lift.

Re:

[nnull]

It's true. Anyone that works in industrial automation can attest how crappy everything is regarding security.

Re:Hotel Cheaped out.

[omglolbah]

Sounds like they picked ModbusTCP since it is an incredibly easy standard to implement on very cheap devices (think 10 cent microcontrollers).
Tons of existing devices support it too so not a bad choice from a technical perspective.. unless you care about security.

Modbus has zero security, why would it? It was built to run on serial lines and the tcp-implementation is for all intents and purposes just using a tcp-socket instead of a serial line to chuck bytes over the line.

It entirely relies on the physical security of the network.
The same thing is also true for KNX/EIB-control which is used for building automation all over the world. The issue here is that what used to be secure by being obscure and inside sockets on the wall is now just being extended onto tablets with no thoughts about how people will poke around in the system.

Having 'killed' a building by mistake (typoed a path....tripped all breakers in the building :p) via KNX, I know the lack of security being very real in 'live' environments.

This is not at all new, it has just not been a focus for anyone until fairly recently.
Google around for KNX hacks and you'll see plenty of evidence of the shitty systems which are considered "industry standard" for building automation. Sigh.

Re:

[nnull]

Lots of "Industry Standard" stuff that is just not right with the times and plenty of those people will argue against changing.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Megane]

Modbus over TCP may be the "standard" for "industrial controls systems", but it's not anywhere near the standard for commercial lighting control. BACnet [wikipedia.org] is probably the most common standard, or at least the "lingua Franca" that most proprietary systems have a gateway for. There are also DALI [wikipedia.org], LonWorks [wikipedia.org], and DMX512 [wikipedia.org] (mostly used for stage lighting)

Re:

[nnull]

If the contractor is going to install this lighting control device with the default password anyways and on the same LAN network, what's the point?

Re:

[adolf]

DMX512 is no better, being a dumb multi-drop RD-485 serial bus with zero authentication.

I admit that I lack knowledge of BACnet, DALI, or Lonworks, specifically but generally: Industrial control systems don't have authentication.

The chances of the radio console(s) that your local public-safety agencies use of potentially having IP connectivity and default passwords is astonishingly good, for instance.

I saw one instance of this in a town not far from where I live, where the radio system used IP addresses wh

Re:

[Lumpy]

Bacnet is the standard for commercial lighting. Modbus has NEVER been used for lighting control in commercial.

Indians

[ArchieBunker]

Guarantee this was dreamed up by someone from India.

Re:

[smooth wombat]

And implemented by an American in a board room deciding who they need to fire next so they can make their quarterly bonus.

Re:

[nnull]

This is actually in response to the market demand. The properly more engineered solutions do not exist and require far more engineering. There is a demand for more high tech solutions and there is a serious lack of products to meet those demands. And since no one wants to pay for any engineering anymore or "team of engineers" and idiotic management that pushes their vendors to the limits, you get stuff like this.

And by the way, I've used tablets to build HMI screens in industrial areas that work great (B

Re:

[Lumpy]

Lack of serious products?

Crestron, AMX, Lutron, Hubbell, Leviton ALL make this stuff that is not based on cheap-ass android tablets and half assed networking without any kind of security in place.

And all of those companies have been in business longer than you have been alive. There are tons of "properly more engineered solutions" out there and they have been there for decades.

Re:

[thegarbz]

If they used a REAL control system this would not be the issue.

You mean a real control system, like a control system used a lot in industry and commercial settings?
Such a control system that is most probably running a protocol like Modbus TCP?
Is that the kind of control system you're talking about?

This was a story about someone finding a way to access a Modbus TCP connection to control a building. This is very much not only a "real" control system, but it is also probably the single most widely used protocol for this kind of control in the world, and it's a protocol pr

Re:

[lsatenstein]

If they used a REAL control system this would not be the issue. but instead they tried to do it as cheap as possible using consumer crap.

Tablets at the light switches is insanely stupid as well. real automation lighting systems still have physical buttons at entryways and doorways for the lights.

Whoever sold this system to the hotel needs to be outed and publicly shamed.

The hotel is in the hotel business. They trust the electronic doors, and other security stuff to contractor. It is the contractor that should be liable, if some item was stolen from a room.

Screw control, monitoring more interesting...

[SuperKendall]

If he can query the light status, why not polls every room every two minutes or so - and make a note of which rooms had been on, then were turned off implying the owners had left...

Nothing like being able to know a room will have belongings but is unoccupied to make the burglar's work easy.

On a side note I can't really blame them for matching IP to room number, just from a trouble-shooting perspective... the real problem is lacking unique per-room authentication.

Re:

[thegarbz]

Nothing like being able to know a room will have belongings but is unoccupied to make the burglar's work easy.

That depends on your hotel. Having "lived" in a few hotels (to the point where the concierge of one hotel gave me a house warming present when I left), I can tell you that during the day I didn't use the lights as it was bright enough, and at night while watching a movie or sleeping I didn't use the lights either.

On the other hand walking down a hallway and seeing a couple walk out of the room is a far simpler way of knowing that a room is empty.

Re:

[Jack Griffin]

Nothing like being able to know a room will have belongings but is unoccupied to make the burglar's work easy.

Because risking jail for stealing tourist's clothes is worth it for your average IT savvy crook....

Re:

[SuperKendall]

I don't know whey you are stealing clothes when you could have laptops, iPads and jewelry.

Re:

[Jack Griffin]

I don't know whey you are stealing clothes when you could have laptops, iPads and jewelry.

Have you ever stayed in a hotel? Most people will have their valuables on them, or if left in the room kept in a safe. I hardly think that renting a hotel room, which you have to present ID and credit card (sure you could fake that but...) only so you can hack the electrical control bus to try and work out when another guest is not in (maybe), so you can somehow break down their door, and pray they have something valuable lying around you can steal (that doesn't have GPS and tracking), and hope there's no c

Re:

[Megane]

Except that from TFA you can tell that it used a wired Ethernet setup. Wireless is a dumb idea because hotels are infamous for crappy wireless internet, especially when full for a convention full of nerds. And if somehow the wireless encryption did get hacked, he could passively see everything. At least with Ethernet connected via switches, he couldn't passively monitor any other room's traffic.

Re:

[Locke2005]

Agreed, we're going to be seeing problems caused by poor security in the IoT for the next decade or so. But then, WiFi was the same way (and still is).

Uhh...no.

[gruntspeak]

MacGyver would have built a transparent bridge using mothballs and saliva, not usb adapters.

Re:

[xtal]

VLAN doesn't do much unless it's also enforced via a smart switch..

Re:

[omglolbah]

Cost most likely. Or an oblivious implementer.

Lights, cameras, ...

[C3ntaur]

I recently stayed in a hotel that provided a tablet in every room for accessing amenities, such as room service. It appeared to be equipped with a camera and microphone, as most tablets are. And I have little doubt the security at that hotel was as bad as what the poster described.

Re:

[Locke2005]

Big Brother is watching you!

Re:

[Intron]

I recently stayed in a hotel that provided a tablet in every room for accessing amenities, such as room service. It appeared to be equipped with a camera and microphone, as most tablets are. And I have little doubt the security at that hotel was as bad as what the poster described.

Does anyone know what hotel Erin Andrews is staying in?

the reason for not having nice things

[Anonymous Coward]

This, exactly this, hacking into it, outing it as cheap crap, saying it's not secure, blah blah blah, keep living in your encrypted utopia and kill yourself yesterday for all our sakes.

why does it have to be ten times the price this hotel already paid for? just fuck you guys, you're all just a bunch of lame ass chatterbugs, not even worthy of any goatse.

have fun with it for a moment, let the hotel know about it, especially the owners of the hotel, and maybe just maybe, karma won't bite you in the electrical

Re:

[james_gnz]

... keep living in your encrypted utopia and kill yourself yesterday for all our sakes. ... why does it have to be ten times the price this hotel already paid for? ...

I'm guessing this was intended as hyperbole, and I don't know what the actual additional cost would have been for the hotel, although I expect a lack of security is common, and it may well have cost the hotel somewhat more to put some kind of security in place.

Where some kind of security is common practice though, I don't think it need cost an

Re:

[toonces33]

I would like to use my device to simultaneously flush every toilet in the building. And then after having done that, then I would like to use my device to book a different hotel for the evening.

Because

[Ol Olsoc]

Those old fashioned light swtches were just too reliable.

Welcome to the Internet of really gadamned stupid things.

I'm surprise the door locks weren' on the network.

[WarlockD]

If your going though all the trouble of networking all the lights/TV's in the entire hotel, why not the door locks too?

Tetris?

[SpaghettiPattern]

So, eventually, was he able to play tetris with the hotel as display? [youtu.be]

Private VLAN

[Bert64]

The solution is pretty simple, setup private vlanning so that only the ports in a given room can talk to each other, and any central server authenticates the connection based on the incoming port.
Sure the traffic is still in the clear but so what? You would be able mitm your own room and turn off your own lights, which you could have done anyway.