BlackHat: Hacking a Capsule Hotel—Ghost in the Bedrooms

18 Aug 2021 • 6 minute read

Security conferences always seem to have at least one interesting presentation that tells a fascinating story, albeit with a serious underlying security message. Here are three from the last few years (and this post is another one).

RSAC: Motherhood and Apple Pie...and Breaking into a Prison – A security researcher has his mother break pen test a prison as a health inspector
Some Real Russian Hacking – A TV station has a couple of security researchers own one of its producers at a hotel in Moscow
RSAC: Hacking a Solar Power Controller—And Pretending to Generate a Gigawatt – A security researcher is bored during lockdown so hacks his neighbor's new solar installation

The presentation was by Kya Supa (a pseudonym) who is a security consultant at LEXFO. He titled his talk Hacking a Capsule Hotel—Ghost in the Bedrooms. He was on vacation in a country he left unnamed but I'm pretty sure was Japan. I assume you know what a capsule hotel is, one with teeny bedrooms. There are some photos at the end which are screenshots from the video he showed, and you can see three bedrooms there.

The key thing about this hotel, and many others, is that you can control many features of the room using an iPod Touch: you can change the shape of the adjustable bed, control the room light, turn ventilation on and off, and so on. Of course, as a security researcher, he immediately started to wonder about security. But he was on vacation in a foreign country and didn't have all his equipment with him, so while he liked the idea of investigating, he hesitated to get engrossed in it. Then he met Bob. Bob was in the next room making very loud phone calls at 2:00am. He asked him the next morning to be quieter, but he was not. So he decided to see if he could make the world a better place by giving Bob an unpleasant experience.

He started to investigate the equipment in the room. First he found a Nasnos CS8020-B, which was some sort of controller for the electric curtains, light dimmer, and so on. The bed contained a Deltadrive DS2 motor used to make the bed adjustable, perhaps wirelessly connected to the Nasnos. There turned out to be a Nasnos CS8700 router in each room that presumably communicated with the other controller with Wi-Fi, and allowed the room to be controlled with iOS or Android. It was actually hidden in the walls but he found it with a Wi-Fi scan. He had a photo of the router "taken from the internet, I didn't tear down the wall!"

He took a look at the iPod Touch that allowed you to control the room. It was running an application but you could not exit the application. If you triple-tapped the home button then it asked you for a passcode to exit, which of course he didn't know. This is called "guided access" where you can only run a single application and not get out to a home screen. But it is configured at run-time so it is not present if you turn off the device. But, of course, you can't reboot the device without leaving the app. But what if you drain the battery, and then reboot after connected back to a power supply.

That got him to a screen where he could see the device settings. There were two WiFi networks, an enterprise one and the Nasnos. The Nasnos was protected with WEP:

which has been known to be insecure since 2001, it's crazy that it is still in use in 2021, so this is what we will do.

He does a Wi-Fi scan to find a total of 119 Nasnos access points that can be detected. The SSID is based on the last bytes of the BSSID. Authentication mode is open. He doesn't have a lot of equipment with him, just two Wi-Fi cards that do not support injection. He needs to find a way to generate a lot of data.

Now he had a key, he could investigate what data was sent to do what. So he created an access mode with his iPod Touch, configured it to use the laptop as a gateway, and configured it as a router. Every packet sent by the iPod Touch passed through his laptop. So he could do a traffic analysis of the ports and packet contents. There was no authentication, no encryption. He could now control his bedroom from his laptop by creating packets with the data required to, say, turn off the light.

That didn't, however, allow him to control other bedrooms. Poking around on the internet, he still could not find how the key was generated and so he could not reverse engineer that. But he did find another vulnerability. Packets are sent to the Nasnos router on UDP port 988 for remote configuration, giving him read/write access to the router configuration.

At this point, he went to another city to continue his vacation. Later, he returned to the same capsule hotel. Of course he was assigned a new room. It turned out that the key varied only in the last four characters between the two rooms, so just 65,536 possibilities. He could simply search them all by leaving his laptop running all night. So that gave him access to all bedrooms.

Here are a few screenshots from his video. In the first pic on the left, he has turned the light off in the room on the right. In the middle, he has turned the middle room's bed from a sofa to a lie-flat bed (you can see the pillows are up in the other two photos) and finally on the right he could turn the light on and off in the leftmost room. In the top right is his laptop screen controlling everything.

It turned out that Bob was still at the hotel when Kya returned. Everyone staying in the hotel was out during the day, so he could experiment to identify which was his room. Then every two hours during the night he would turn the lights on or off, turn the bed into a sofa, and so on. Bob would have thought there was a ghost in his room. Of course, this was done with a script, so Kya did not need to wake up every two hours.

Summary

As you can see, he could take control of all the rooms in the capsule hotel due to six vulnerabilities:

Guided Access bypass (run the battery down)
Usage of the known-insecure WEP WiFi protocol
Simple WiFi UART interface with default credentials
Nasnos service accessible without any authentication
Read/write accessto the simple UART router configuration
Non-random keys (just the last 4 characters)

He told both the hotel and Nasnos. The hotel took it seriously and the problems have been fixed with a new architecture. He received no answer from Nasnos. Oh, and he changed some important details for this BlackHat presentation. It didn't work precisely like this.

Sign up for Sunday Brunch, the weekly Breakfast Bytes email.