Itsme

Hacking the hotel through the TV

Published: July 31, 2005, 5:00 PM PDT
By Joris Evers
Staff Writer, CNET News.com

LAS VEGAS--When Adam Laurie stays at hotels, he says he can hack his way around paying for premium TV channels, the minibar and phone calls.

What's more, by connecting his laptop to certain modern hotel TV systems, Laurie says he can spy on other guests. He can't look into their rooms (yet), but depending on the system he can see what they are watching on their TV, look at their guest folios, change the minibar bill and follow along as they browse the Internet on the hotel television set.

To tease his fellow guests, he can also check them out of their room and set early wake-up calls via the TV.

Laurie can do all this because of what he calls the "inverted security model" of the systems. "The TV is controlling which content I get to see. The hotel in most cases is streaming all content without any control," Laurie said in a presentation Saturday here at the Defcon event for security professionals and enthusiasts.

By plugging the hotel TV cable into a USB TV tuner connected to a laptop computer, Laurie can hack his way into the back-end systems controlling the entertainment and other convenience features found in modern hotels, he said in his presentation.

He found that many of those systems give access to information depending on an ID associated with the room's TV. By changing that ID, he said that he was able to access information for other rooms. Many such hotel systems show guest bills, phone and room service records and offer video check-out.

Laurie found that the hotel TV systems also have special controls for hotel employees. Housekeeping staff can report a room as clean, for example. Additionally, he found that some systems let room service staff input billing for the minibar, which he now controlled.

"Sometimes you can actually control physical devices," Laurie said. In one Holiday Inn hotel he found the system that controlled an electronic lock on the minibar.

While staying at a Hilton hotel in Paris, Laurie automated his hack and placed a camera in front of the TV. He snapped pictures of every screen and found out the occupancy rate of the hotel, the names of the guests, what they were paying, where they were calling and how long they had been at the hotel. He showed the pictures at Defcon, but obscured the guest names.

Part of Laurie's hack is simple. He found that premium channels are actually being broadcast all the time; the TV just can't tune into them until the guest pays. If a someone brings in a TV--the laptop and USB TV tuner will do fine--and connects it, they're set.

It gets harder from there. Changing the ID of the TV requires some skill, as does finding the room service billing codes. The systems use codes entered on the TV remote. So Laurie carries around an infrared device that he connects to his laptop. He wrote a program that sends codes to the TV and in about 30 minutes finds the relevant ones.

And the situation isn't getting better. "They are starting to do things like allowing you to put credit card numbers in through the TV," Laurie said. Also, he said, some of the makers of these hotel systems are looking at adding Webcams, perhaps to let people chat over the Internet

Pemolis

This is somewhat old (least to me).

Strangely enough, the only real security risk is the financial information which maybe available though the cable/tv connection. Other than that... if you know what you are doing... five finger discounts!!

SnowSurfer

i would love to lock out everyones minibar in the whole hotel..that would rock

__________________
I have an athlon xp 2500+ ... aren't you glad you know that?

bachviet

Discount is good.

__________________
Dell Dimension 9200 | Intel Core 2 Quad Q6600 (2.4GHz) | 4x1GB DDR2 | 256MB nVidia GeForce 8800GT

Dell Studio 17 | Intel Core i7-720QM (1.6GHz) | 2x2GB DDR3 1066MHz | 1GHz ATI Mobility Radeon HD 4650

Intel P4-C 3.0GHz | ECS 865PE-A | 3x512MB PC3200 | 128MB PNY GeForce 6600GT

JackHammer

Me thinks this is illegal. Hence and therefore if you get caught they're gonna do a Casino on your fingers a la Bobby.

__________________
"I'm very sorry for your loss. Your mother was a terribly attractive woman."
-Royal Tenebaum


"Oh yeah. Oh yeah. I would do everything to her, I don't care what she looks like. I would wreck that chick."
-Brian from the Family Guy after Peter asked him whether he would have sex with Lois.

modena

now, is there a button you can push to have everyone's minibar contents be transfered to your room?

__________________
WoW - Perenolde - chars: intron, modena
Computer - AMD 64 3700+ 939 on NF4 SLi mobo (ZALMAN CNPS 9500), 2 GB DDR466 (2-3-2-5), XFX Geforce 7900GT 256mb (520mhz core, 24 pipes, 1500mhz memory), Western Digital Raptor 74GB Serial ATA HD 10k, 850GB in other HD's, 21in Widescreen LCD

Dman33

Me too... any geek that works on the road a lot has hacked the tv in the hotel room. The easies hack is being able to view PPV movies - with the easy hack only those movies that are currently being watched by other guests are viewable. You would be suprised how much pr0n is being viewed on a regular basis at all hours of the day. LOL

I have never tried the other stuff like getting to guest account info or the minibar... I figure that is flirting too much with arrestability.

cocojambo

would be cool to have something like that around... spying is cool sometimes