
Hotel Hackers Are Hiding in the Remote Control Curtains - laurex
https://www.bloomberg.com/news/features/2019-06-26/the-hotel-hackers-are-hiding-in-the-remote-control-curtains
======
kingbirdy
> These hackers, however, were good guys: IT consultants who were frustrated
> with their hospitality clients’ lax approach to security. To demonstrate the
> industry’s weaknesses, their leader arranged for a reporter to tag along on
> an audit of one of his clients’ hotels. The conditions: The hackers wouldn’t
> break into the personal devices of hotel guests, and neither the hotel, the
> city, nor the hackers could be named.

This paragraph could really use more clarity. I can't tell if these guys are
authorized pen testers for the hotels, or if they're consultants for other
parts of the IT stack who are doing this as gray hats.

~~~
yodon
The ambiguity you point out is almost certainly intentional, and reflects well
on the reporter. If you were able to identify the details of the hackers'
employment, the hotel in question could almost certainly identify their names
and employer which would probably not go well for the hackers. There is a
reason why journalists protect their sources.

------
acomjean
I believe it. I was at a "boutique" hotel in paris, where the whole room was
controlled by and ipad. There were still some switches but some control
required an ipad. (to light up the bathroom seemed to require the ipad.. it
was frosted glass, but still..)

The software seemed to have some issues (gentle wakeup was turning the room
lights on full, the TV on with a loud voice counting down from 100...).

Sometimes you just want a light switch.

My experience when working with companies installing wifi enabled power
monitors, is you want that stuff on a separate network from anything connected
to payments. Most places insist on that for PCI compliance.

~~~
ccvannorman
Smart devices on simple features make them worse, not better.

~~~
maccard
I disagree - well designed smart devices (of which there are vanishingly few)
are definitely worthwhile. The big feature is interop - I can script my
lights, and I can drive them via my phone or a switch. It's been a huge
quality of life increase IMO

~~~
baud147258
I read that example on a forum thread about the GE lights:

""" I have Philips Hue; it's brilliant. Have set up themes for Simulated
daylight, Warm, Evening, Reading, Cinema and Nighttime (1 dim red light on
each floor). Certain themes are timing-based, so on a schoolday the 'warm'
theme gradually brightens to wake the kids up at 6:30am and get us ready for
the day, . If it's a miserable day and I need to work at home, Simulated
Daylight does the trick. After dinner the Evening theme kicks in with some
soft colours, and at midnight the Nighttime theme comes on. Cinema turns off
all lights except the TV Ambilight plus a dim red light in each room (so
people can move around the house without turning lights on and disturbing the
film watchers). The physical lightswitch in each room still works to turn
lights on and off if I want to do it old school.

Smart is what smart does. Where I see added value in a smart system, I buy it.
If I don't see value, I don't buy it. """

------
Johnny555
I recently stayed at a hotel (part of a national chain of business hotels, not
a mom-and-pop roadside motel), and the front desk clerk pushed his keyboard
forward to write something down for me, then stepped away to the back room
with the paper he was writing on.

Beneath the keyboard, taped to the counter was a sheet of paper that not only
had their internal Wifi password, but also a username for the POS system and
an _admin_ username that said "Admin login, emergency only!!!!!"

I pointed it out to the clerk when he returned, and he sort of laughed and
said "I hope you didn't write that down!"

------
empath75
Except, they're not? These guys never got into the network. What a weird
headline.

~~~
deftnerd
Additionally, the reporter went out of his way to say that the hackers
promised to only target the hotel itself, but then goes on to describe how
when it wasn't working, they ended up impersonating the Wifi and doing deauth
attacks on guest devices to force them to use the fake wifi...

I can understand that the hackers were frustrated that their attempts didn't
work out, but then they targeted guest devices because they were embarrassed.
The reporter should have put a stop to it.

~~~
sprite
What a weird article. They weren't really successful at hacking into anything.

------
ga-vu
Great! Another Bloomberg piece that uses a FUD headline talking about hacks,
but it's actually pen-testing.

This site and its press agency needs to die!

~~~
mruts
Bloomberg is a great company, but I do agree that there’s something wrong with
their investigative journalism. For a firm that has such high reputation and
trust in the industry, they are really sloppy in a few areas.

------
vesche
Clickbait, tl;dr no implants in the curtains

