That was the focus of a talk given by Jesus Molina a security consultant that had quite a bit of fun finding out just how open these systems can be. We have already talked about how insecure some Internet of Things devices can be and in particular there appears to be almost no security in most home automation devices. Molina was curious when he found out that there was an iPad in the room that allowed him to control different things in the room. He began to do some poking around and found that the iPad was open to snooping and it was connected to the open guest wireless network making the data even more susceptible to snooping and capture.
Now the decision to use the guest network is not all that unusual, in fact that is exactly you would expect. In order to maintain security most hotels will not broadcast admin or other secure SSIDs into the guest areas. You might find VoIP or IP TV VLANs that exist, but these are hard lines and not generally not good for use in an automation system.
Getting back to Molina’s talk after snooping around Molina found that the system was using an older protocol and system called KNX. KNX was developed in 1990 and has no security (that was found in 2006). However it was required for use in buildings that used automation systems in Europe and Asia for a while. When Molina found this he decided to see if he could find out more about it, but was hit with a pay wall of sorts. In order to grab the whole specification he would need 1,000 Euros (roughly 1339 USD). As he did not have this he decided to poke around and found that some universities had developed open source versions of the KNX protocol. With this in hand Molina began to map things out.
Molina found that each room had its own IP address that you can talk to over the network. The IP address points to a KNX router for the room. To talk to the devices inside the room you need a little more information and will need to do some coding. The first thing you need to discover is the area, line and device numbers. This was not all that difficult to do by watching the traffic and found many of the devices in his own room. Once he had a map of his room he spend a good deal of time asking to have his room changed (this one is too light, this one is not comfortable enough) and in each room he tried to map out the devices to find a pattern for the area and line numbers. He also used the blue housekeeping light to confirm he was hitting the right room.
Once he had his map he found he was able to control almost everything in the room with the exception of the thermometer, but he said that might be possible with more research. His control extended to the top 200 rooms in a luxury hotel in China. This is not a bad feat especially given the area that he was working in. At one point, as he was trying to see what else he could control he thought the game was up when he heard a knock at the door. Interestingly it was not the police coming to take him away it was only the laundry. This could mean that he found a way to call for them using the same system.
This story of automation mayhem might have a happy ending though. When Molina contacted the hotel they were very receptive and shut down the system. Also according to the developers of KNX there is a new version of the KNX protocol that does include security although Molina has not been able to confirm this (he is taking donations for the 1,000 Euros he needs…). This discovery is not all bad, in the end it highlights an area that might not have been properly explored by the hospitality and automation industry. Now that the light is on they should be motivated to examine their choices for automation including forcing the manufacturers of these devices to use better secured routers, and end points. It might also change the pattern of using open networks for the tablets that run the system. Of course, that still leaves the tablet as a source of compromise, but that is for another story.
Tell us what you think in our Forum