Here’s another documented instance for the “insecure Internet of Things” annals, courtesy of CoreOS security developer Matthew Garrett.
Garrett, who’s also a member of the Free Software Foundation board of directors, was in London last week attending a conference, and found that his hotel room has Android tablets instead of light switches.
“One was embedded in the wall, but the two next to the bed had convenient looking ethernet cables plugged into the wall,” he noted. So, he got ahold of a couple of ethernet adapters, set up a transparent bridge, and put his laptop between the tablet and the wall.
He discovered that the traffic to and from the tablet is going through the Modbus serial communications protocol over TCP.
“Modbus is a pretty trivial protocol, and notably has no authentication whatsoever,” he noted. “Tcpdump showed that traffic was being sent to 172.16.207.14, and pymodbus let me start controlling my lights, turning the TV on and off and even making my curtains open and close.”
He then noticed that the last three digits of the IP address he was communicating with were those of his room, and successfully tested his theory:
“It’s basically as bad as it could be – once I’d figured out the gateway, I could access the control systems on every floor and query other rooms to figure out whether the lights were on or not, which strongly implies that I could control them as well.”
This is not the first time that something like this was discovered by security researchers, and it’s (unfortunately) very unlikely that it is not the last. As Garrett pointed out, “hotels are happily deploying systems with no meaningful security.”
In this particular case, who knows what else he could have achieved by fiddling with the system.
Commenters to his post said that they hoped that the fire control wasn’t on the same modbus; posited that the Android tablets functioning as light switches could also be made to record and play sounds from and to the room, if additional apps can be installed on them; and that the tablets could be misused by attackers to see whether someone is in the room or not in order to steal stuff from it undetected.
Garrett didn’t name the hotel because, when informed of the issue, they promised to look into it and remedy the situation, but he shared his experience to point out the need for security to be a part of IoT.