A researcher was able to remotely control the lights, bed & ventilation in “smart” hotel rooms via Nasnos vulnerabilities.
This has been one takeaway from the Black Hat Las Vegas 2021 event this week in the US.
LAS VEGAS – A series of vulnerabilities in internet of things (IoT) devices often found in connected hotel rooms allowed a researcher to take control of multiple rooms’ amenities & punish a loud neighbour.
An inadvertent bug hunt began when Kya Supa, security consultant at LEXFO, was traveling overseas on vacation.
He spent a few nights in a so-called “capsule hotel,” which refers to accommodations that consist of tiny rooms stacked side-by-side. In an effort to make up for space issues, these kinds of digs tend to offer a few electronic bells & whistles, & according to Supa, this particular hotel was no different.
Ghost in the Bedrooms
In a Wed. session at Black Hat 2021, “Hacking a Capsule Hotel – Ghost in the Bedrooms,” Supa explained that an iPod touch given at check-in allows customers to control their lights, change the position of their adjustable beds & control the ventilation fans.
Supa wouldn’t have looked under the bonnet of the technology allowing the room control except for the fact that a noisy neighbour prompted him to see if he could bypass any security protections to take control of other bedrooms in the hotel. It turns out that he was able to do just that using 6 different exploits that were chained together.
Phone Calls at 2am
“I met my friend ‘Bob,’” the researcher explained. “This neighbour woke me up twice during last day. He woke me up because he was making phone calls at 2am in the morning, & he was speaking really loudly. So, the 2nd night I went to see him & I asked him politely to speak more quietly. He told me ‘Yeah, sure, no problem.’ But there was no change.”
Supa went on to further travels but came back to the same hotel a few days later – & “Bob” was still there, exhibiting the same behaviour. So, the researcher decided to do a little pen testing.
Taking Stock of the Capsule
“The iPod touch comes with an application that helps to control your bedroom, & it’s connected to devices using Bluetooth or Wi-Fi,” Supa explained. “So, there must be a way to communicate with whatever is controlling the bedroom.”
An exploration of the bedroom revealed the presence of a Nasnos CS8020 remote, which can be used to control up to 5 Nasnos devices – the same ones that the iPod touch connects to. It’s used in case the iPod touch is lost or if the application doesn’t work.
Nasnos CS8700 Router
He also deduced the presence of a Nasnos CS8700 router within each room’s wall, which enables the control of the Nasnos devices over Wi-Fi, either from the iPhone touch or the remote (& potentially from Android smartphones or other iOS devices).
Armed with the knowledge of what the room’s IoT architecture looked like, he moved into the exploitation phase.
The iPod touch in this case has a single application that a hotel visitor is allowed to access, with simple buttons linking to the various “smart room” features.
“When I first tried to exit the application, I saw that it wasn’t possible,” Supa said. “I cannot exit the application or turn off the iPod touch, but when I triple-tapped on the bottom, I notice that a passcode was asked for. By searching on the internet, I found that this behaviour was due to an iOS feature called Guided Access.”
Guided Access limits a device to specific applications & allows users to control which features are available – a form of parental controls. It can be overridden with a passcode, but Supa found that the protection is only configured at run time.
Reboot the Device
“This means the protection is no longer present if we reboot the device,” he explained. “Yes, we cannot turn off the iPod…but we can still drain its battery, connect it to power afterwards & reboot the device. Once you do that, the protection is no longer present, and we can access everything – other applications & the iPod touch settings.”
In examining the iPod touch’s device settings, the researcher found that it was enrolled in a mobile device management (MDM) solution, with 2 saved Wi-Fi networks. One of these was named Nasnos-CS8700, & it was protected using only WEP – a very old encryption method that’s been crackable for nearly 20 years.
In fact, it’s quite easy to retrieve a WEP key, the researcher explained.
Rogue Access Point
Supa set up a rogue access point (AP) using his Android smartphone, connected the iPod touch to it, cached the payload, connected the iPod touch back to the Nasnos AP & executed the code. Soon he was able to retrieve the key, after which he found that the router was accessible with default credentials.
“The password starts with 123, & I will let you guess what goes after,” Supa stated.
He connected his laptop to the vulnerable AP using the credentials in order to set up a man-in-the-middle architecture to inspect traffic flowing from the router. The iPod touch connected to the rogue Android AP, while the Android AP was also connected to a Wi-Fi card in Supa’s laptop.
Meanwhile, a 2nd Wi-Fi card in the laptop was connected to the Nasnos AP, & thanks to IP forwarding, the researcher was able to observe that packets were being sent to the Nasnos router on TCP port 8000 with no authentication or encryption necessary.
“After that, I just developed a program that sends the same packets [from the laptop to the router] depending on the action needed,” he outlined. “This means we are now able to control the bedroom from a laptop. But can we control all bedrooms?”
In other words, could he mess with “Bob?”
Controlling All Capsule Bedrooms
The 1st thing Supa needed to do was figure out if the Wi-Fi key is generated dynamically or set manually.
To find out, he reverse-engineered an application from Nasnos that’s available on Google Play store. It allows users to set up the Wi-Fi configuration of a Nasnos router. In examining the app, Supa came across another vulnerability: Packets are sent to the router on UDP port 988 as part of the remote configuration service, but it doesn’t require authentication for configuring (or reconfiguring) the router.
This didn’t reveal whether the keys are static or dynamic, however. But when coming back to the capsule hotel the 2nd time, Supa was assigned a different room.
“I noticed a similarity with the Wi-Fi key of my old bedroom – only the 4 last characters seemed to change,” he explained. “If this is the case across all 119 bedrooms, this will mean there are only 65,536 possibilities, which is nothing…we can launch a dictionary attack with a file containing all the possible keys.”
Armed with a list of keys, the next step was matching the correct key to the right SSID for “Bob.”
“I used my laptop to turn on the light of each SSID’s room, and when I noticed a change in his room, I knew that it was the access point I was looking for,” Supa explained.
“I went & tried to imagine the best scenario I could for ‘Bob.’ A good one would be to create a script that every 2 words would transform the bed into a sofa and back again, turn on and off the lights and so on. Convince him there are ghosts.”
Supa found 6 different bugs:
- Guided Access bypass
- Usage of WEP
- Simple router interface with default credentials
- Nasnos service available without authentication
- Read/write access to remote configuration capability for the router
- Use of non-random AP keys
Supa stated that he contacted both Nasnos & the hotel about the weaknesses.
“The hotel was really cool & took this issue seriously,” he mentioned. “It’s now using a new architecture so it’s not possible to exploit vulnerabilities in that hotel anymore.”
However, Nasnos did not respond to his report, he revealed, so if non-random keys are used in all of its routers, many other environments are susceptible to similar exploits.
Nasnos did not immediately respond to a request for comment.