United States
Easy management - our secret sauce. Watch the video tour.
WatchGuard Technologies, Inc.
WatchGuard Technologies, Inc.
ProductsPartnersSupportAbout UsHow to BuySearchProfile
 
Products  

Security Articles

Video Tutorials

WatchGuard Feeds

WatchGuard Wire

Radio Free Security

White Papers

Case Studies

Network Security Glossary

WatchGuard Wire
Improve Your Security IQ

I just made you pay my mini-bar bill (and I was really thirsty)

Dateline: Black Hat 2005, Las Vegas -- In my last post, I promised to share tales from Adam Laurie's innovative research into infrared devices.

Why study infrared insecurities? Isn't infrared old technology, outmoded by Bluetooth, WiFi networks, and radio frequencies? Nope. To a hacker, infrared (IR) has terrific potential for mischief: unnoticed yet ubiquitous, it drives devices such as TV remote controls, automobile key fobs, garage door openers, and more.

Laurie's focus on IR began when he discovered that his programmable Casio watch, which had some IR capabilities, could capture signals sent from his garage door opener, and replay them. No self-respecting hacker could resist such bait. He broke open the receiving unit on his garage door opener and discovered that the way it "knew" to respond to his IR button, and not the neighbor's, was because of a simple dip switch setting. He quickly ran a brute force test, trying every combination of dip switch settings possible to see what effect they had.

Inspired by early results, Laurie moved on to studying IR automobile key fobs. His experiments there culminated when he drove to a car dealership "in the middle of nowhere, in the middle of the night." He believed he had found a factory reset command, and he wanted to try sending an IR command he had carefully programmed. Laurie comments, "At nighttime, it's actually a scary sound to hear 50 cars unlock at once."

On to television remote controls. He discovered that hotel television systems present a unique hacking opportunity. Manufacturers of such systems typically load them with tons of capabilities, but unlock only the abilities that the hotel chain pays for. The code is still present in the system, but users remain unaware of it because the code presents no user interface. The TV in each room also receives all television channels, but filters them to present only one at a time to the user. Armed with his unusual understanding of IR and network architecture, Laurie eventually defeated all the filtering.

He found that at some hotels, the staff carries special remotes used for housekeeping and accounting. For example, a maid can finish cleaning the room, then use a remote to set the room's system status to "Cleaned and available." Users also update their billing through the TV in some hotels. That means a hacker of Laurie's skill, using a remote control alone in a hotel room, can:

  • Shift all the billing for mini-bar and pay-per-view movies from his room, to another guest's room
  • Set the system so no one at the hotel can receive any TV except pornographic channels
  • Wake up the entire hotel at 4:30 a.m. by making every room's television turn on
  • Spy on other hotel guests' Internet activities when they use the television's cable connection to access the Web or send e-mails
  • Find the names of all guests staying at a hotel and learn what they viewed, ate, where they called, and how long they stayed

Further, Laurie found that most such systems are cobbled together and have little or no master logging. A determined hacker could get away with murder -- perhaps literally. He could leave a dead body in his room, set the room's system status to "Do Not Disturb," and get at least a full day's head start on his escape.

IR systems have no security built in, except "security by obscurity." Users hold devices in their hands that can drive an entire network. The system administrators simply hope the users never figure out what power they have. Please tell me there is no analogy between IR and how you run your computer network. -- Scott Pinzon, CISSP, live from Las Vegas

Copyright© 2010 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.