right now, and the hotel I’m staying at has decided that light switches are unfashionable and replaced them with a series of Android tablets.
One was embedded in the wall, but the two next to the bed had convenient looking ethernet cables plugged into the wall. So.
I managed to borrow a couple of USB ethernet adapters, set up a transparent bridge (brctl addbr br0; brctl addif br0 enp0s20f0u1; brctl addif br0 enp0s20f0u2; ifconfig br0 up) and then stuck my laptop between the tablet and the wall. tcpdump -i br0 showed traffic, and wireshark revealed that it was Modbus over TCP. Modbus is a pretty trivial protocol, and notably has no authentication whatsoever. tcpdump showed that traffic was being sent to 172.16.207.14, and pymodbus let me start controlling my lights, turning the TV on and off and even making my curtains open and close. What fun!
And then I noticed something. My room number is 714. The IP address I was communicating with was 172.16.20 7.14 . They wouldn’t, would they?
I mean yes obviously they would.
It’s not as bad as it could be – the only traffic I could see was from the 207 subnet, so it seems like there’s a separate segment per floor. But I could query other rooms on my floor to figure out whether the lights were on or not, which strongly implies that I could control them as well. Jesus Molina talked about doing this kind of thing a couple of years ago , so it’s not some kind of one-off – instead, hotels are happily deploying systems with no meaningful security, and the outcome of sending a constant stream of "Set room lights to full" and "Open curtain" commands at 3AM seems fairly predictable.
转载本站任何文章请注明：转载至神刀安全网，谢谢神刀安全网 » I stayed in a hotel with Android lightswitches and it was just as bad as you'd imagine