⚠ We would appreciate if you would disable your ad blocker when visiting our site! ⚠

The Hacker Hotel: High-Speed to Insecure Networks – Be afraid, be very afraid

Order a reprint of this story
Close (X)

To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.


June 01, 2001
Network | Security
Seth Leonard
DanPhillips- dphillips@its-services.com

© 2001 Hospitality Upgrade. No reproduction or transmission without written permission.

News Flash: 4/4/01 – “A survey of IT professionals released today indicates that one in three U.K. businesses has been the victim of a major security break in. …Foreign Secretary Robin Cook warned that computer hacking may pose a greater threat to the national infrastructure than military attack.”1

News Flash: 3/20/01 – “A restaurant busboy is accused of using the Internet and Forbes’ list of the richest people in America in a scheme to steal millions from such figures as Steven Spielberg, Warren Buffett, Martha Stewart, Oprah Winfrey, Ross Perot and Ted Turner. Police are calling it one of the most ambitious identify-theft schemes they have seen. They are still tracing the complex electronic trail to determine exactly how much was stolen, but fear it could be well into the millions. …Court papers say [Abraham] Abdallah was carrying the Social Security numbers, home addresses and birth dates of 217 CEOs, celebrities and tycoons. …Abdallah, police say, also had more than 400 stolen credit card numbers, including some that were used to buy about $100,000 of computer equipment and gold coins.”2

News Flash: 4/12/01 – “In a parking garage across from Moscone Center [San Francisco] …Peter Shipley reaches up through the sunroof of his car and slaps a dorsal-shaped Lucent antenna to the roof …snaking a cable into the car and plugging it into the wireless network card slotted into his laptop. The computer is already connected to a GPS receiver …and the whole apparatus is drawing juice through an octopus of cigarette-lighter adapters. …The moment he pulls out of the parking garage, the laptop displays the name of a wireless network operating within one of the anonymous downtown office buildings… Shipley’s custom software passively logs the latitude and longitude, the signal strength, the network name and other vital stats. Seconds later another network appears, then another… After 15 minutes…his jerry-rigged wireless hacking setup has discovered 17 networks beaconing their location to the world. After an hour, the number is close to 80. ‘These companies probably spend thousands of dollars on firewalls,’ says Shipley. ‘And they’re wide open.’ …Many here believe that hackers are already cruising around metropolitan areas in cars and on bicycles with their laptops listening for the beacons of wireless networks. Using such a network doesn’t even require special software or hardware, an ordinary $150 consumer wireless card will latch on to the beacons and put you on the Net. Grand computer capers will be pulled off, not from bedrooms and college dorms, but from windowless vans in company parking lots, and from park benches and empty stairwells. ‘It’s fun, it’s the new thing.’”3

News Flash: 3/30/01 – At the host hotel of the CanSecWest conference in Vancouver, B.C. “By registration time, an attendee had already gotten the password to the hotel’s phone system…and a day later, the hotel’s high-speed Internet system had been accidentally crashed by another attendee who had taken over the hardware connecting the hotel to the Internet. …Richard Johnson, security administrator for the National Center for Atmospheric Research, connected an Apple Airport wireless hub to his room’s high-speed Internet port, so he could wander around his room and still use the Internet. Within five minutes, he said, a handful of hackers from nearby rooms had hitched a ride on his connection as well. …That sort of curiosity made the conference’s wireless network a security nightmare. Almost every person on it was either scanning every other person’s computer or just passively listening to what the other computers were doing. …Normally, a typical user with a personal firewall might see a handful of alerts every hour, on a busy day. SourceFire’s Roesch…said he saw 2,300 alerts on his computer in less than five minutes. By the end of the conference, paranoia had set in. Type a password into Yahoo? Someone most likely knows it. Send an e-mail to a friend? Someone’s reading it right now. Suddenly, the Internet seemed a lot less safe.”4

That is some scary reading. If I were a hotelier, I’d be really concerned about my network connections, especially if they leave the hotel itself to connect to corporate offices or to brand flag locations. If I were a hotelier with high-speed Internet access in my hotel (more so wireless), I’d be shaking in my boots by now.
Not shy on gumption (read testosterone, read kahonas), we decided to enter the hacking world, albeit in a friendly manner. The following information is excerpts from one of our internal reports. The names, locations and MO’s have been left out or altered to protect the innocent.
We performed some network security penetration testing at a hotel providing high-speed Internet access. The scope of this analysis was targeted specifically at those facilities. The corporate network facilities were not directly targeted in this audit. And, some specific testing procedures were avoided due to their disruptive nature. The audit was done from two perspectives, from inside the hotel (as a guest) and from outside the hotel (as a hacker).

Inside Penetration Test Results

Free Internet Access/Risk Factor: HIGH
Within 10 minutes of entering the room, we were able to obtain free Internet access. In addition, testing revealed that we could identify whether other guests had purchased Internet access within the last 24 hours. This gave us the ability to assume the network identity of the other guest, using their paid access for ourselves.

Monitoring Internet Usage of Guests/Risk Factor: HIGH
We were able to identify other guests who were actively using the high-speed Internet system. We were able to re-route their Internet traffic to go over our own computer. This would allow us to monitor all of that guest’s Internet activities. This attack could garner personal information such as credit cards, passwords, e-mail, Web sites visited, and more.

Denial of Service/Risk Factor: MEDIUM
Testing revealed a malicious guest could cause severe network interruptions, rending high-speed Internet unusable for all guests. Some of these attacks would be capable of affecting the hotel’s corporate network facilities.

Offsite Penetration Test Results
Network Topology Discovery
Risk Factor: MEDIUM
By utilizing a number of freely available scanning programs, it was possible to discover the topology of the hotel’s network(s). Testing revealed the hotel’s high-speed Internet network as well as their corporate network plus two other completely separate companies’ networks. Further scanning revealed several network routers, at least three Aironet wireless LAN routers, at least two firewalls, several Windows NT computers and several network switches. This information can potentially aid attackers in finding weaknesses in the network. An attacker may choose to focus the attack on a single point in the network.
Cisco SNMP Write Community Strings
Risk Factor: HIGH
Testing revealed that most of the Cisco equipment installed on this network has Simple Network Management Protocol (SNMP) enabled for remote administration. Community strings act like passwords to allow remote updates using SNMP. In this hotel’s case, the password was left at the commonly known default setting. This would allow for easy sniffing and monitoring of both the high-speed Internet and the hotel’s corporate networks by reconfiguring SNMP-enabled devices.

Cisco Web-enabled Management of Devices
Risk Factor: MEDIUM
Testing revealed many of the installed Cisco devices on the network have remote, Web-based management utilities enabled. None of the Web-enabled Cisco equipment was determined to have any default passwords installed. This would allow an attacker to obtain administrator passwords from which they could sniff or monitor activity by reprogramming the network devices.

Access to One Other Company
Risk Factor: HIGH
Testing revealed the presence of a high-speed services device used by one of the other companies mentioned earlier. This equipment had TELNET administrative services, which allows engineers remote access with a user login screen. The username field was already propagated, presumably from previous access attempts. There was no password beyond the user name. This access would allow one to reprogram the network to allow unauthorized access to the high-speed services.
The hospitality industry will soon be hit with another wave of high-speed Internet access vendors touting that they have solved all of the previous problems. These new providers will be bringing content, like streaming video, with high-speed access to make it more attractive to guests and hopefully drive more revenue. However, the problems they think they will have addressed will be things like their own financing (staying power), marketing, take rates, deployment, ease-of-use and in-room equipment. Because the lack of security on these systems has not become headline news to date, they will not have addressed it.

If you are in the majority of hotels that have yet to install the high-speed stuff, when you plan to do so, enlist the aid of a specialized security analyst to help you protect your hotel from significant liability. If you already have the stuff installed, run, don’t walk, to get yourself an audit of your system to see just how vulnerable you are.

There is a Fortune 100 company that has a training facility/hotel that they also rent out to other companies. The facility is loaded with computers in public spaces that have access to the Internet. For the ease of their own corporate users, direct connections to the company’s Intranet are set up in a menu format with just a default password in the way. Now, what would happen if one of their competitors happened by one day and sat down at a terminal?

Or, try this thought out. Your high-speed Internet network is connected to your PMS for billing purposes. Or, your hotel administrative network is tied into the high-speed network for Internet access. Now, follow the path:

  • Guest room (or outside hacker) to high speed network
  • High-speed network to PMS
  • PMS to back office accounting
  • PMS to reservations
  • Reservations to central reservations system
  • Back office accounting to management company network
  • Admin network to management company network

With just a little imagination, the honest person can see some real havoc being raised here. Can you imagine what a malicious person can see? KA-CHING!

Seth Leonard and Dan Phillips both work for ITS, Inc., an independent consulting firm specializing in the technology and hospitality industries. When they are not hacking into systems, they can be reached at (770) 569-5880, or at dphillips@its-services.com.

1 By Will Knight, ZDNet, “One in three U.K. companies have been hacked”
2 By Tom Hays, Associated Press writer, “Hacker Uses Forbes List to Steal”
3 By Kevin Poulsen, SecurityFocus News, “War driving by the Bay”
4 By Robert Lemos, Special to CNET News.com, “Curiosity kills network at security confab”

want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.