Next time you’re in Shenzhen, “the Silicon Valley of mainland China“, don’t stay at the St Regis hotel. Sure, it looks nice and everything. And those iPad-powered “digital butlers” sound neat. But, really, the system is so littered with security vulnerabilities that a hacker on the other side of the planet can easily break in and turn off your lights when you least expect it.
Wired‘s Kim Zetter just published an unnerving story about the St Regis Shenzhen and Jesus Molina, the hacker who discovered the issue. After realising that it was possible to hack into the system that controls everything from the thermostats to the window blinds to the little “Do Not Disturb” lights outside the rooms, Molina recently stayed at the hotel for two nights to explore just how far he could go. Long story short, he pretty much had free reign. “I could have changed every channel in every room so everybody could watch soccer with me,” he told the magazine, “but I didn’t.”
The vulnerability can be traced back to a dated communication protocol called KNX that the hotel uses to control its Internet of Things. This is a dumb idea though, since KNX was originally designed to work on wired networks and absolutely does not have the robust security necessary to work on wireless networks. In fact, according to Molina, it has no security or encryption whatsoever which is why he was able to hijack the system so easily.
It’s tempting to write off this issue as another silly Chinese hacker boondoggle but the KNX protocol is used by hotels around the world. Molina will be presenting his findings at the Black Hat security conference in August, so there’s hope that hotels with similar vulnerabilities will pony up and fix the problems. It’s also nice to know that there are now secure protocols designed specifically for the Internet of Things. Of course, that doesn’t mean that oblivious hospitality chains will use them, but hey, there’s always Airbnb. [Wired]
Picture: St Regis Shenzhen