
Reverse Engineering a Mysterious UDP Stream in My Hotel - gkbrk
http://wiki.gkbrk.com/Hotel_Music.html
======
Animats
At least they play music. I once stayed in a Howard Johnsons Motor Lodge in
Pittsburgh near CMU, where, at corridor intersections, they had speakers to
generate some ambient noise to mask voices from the rooms. Most places that do
this use white noise, or water sounds. But this was Pittsburgh. They were
playing faint machinery noises - whirr, chunk, etc. At first I thought someone
had left a PA microphone open in the boiler room or something, but no, it was
deliberate.

~~~
dghughes
I'm surprised public washrooms don't play music or it seems very few do. I bet
so many people in stalls wait for someone to start the air dryer or turn on a
tap i.e. strategic pooping. It can be a embarrassing disaster with those
modern auto shutoff air hand dryers.

~~~
wting
Japan has portable, artificial white noise makers for bathroom privacy.
They're called otohime, or "sound princess."

\- video:
[https://www.youtube.com/watch?v=f0eqo6jU9gc](https://www.youtube.com/watch?v=f0eqo6jU9gc)

\- example gadget: [http://www.japantrendshop.com/keitai-otohime-toilet-sound-
bl...](http://www.japantrendshop.com/keitai-otohime-toilet-sound-
blocker-p-851.html)

\- background and wall mounted examples:
[http://travel.cnn.com/tokyo/shop/sound-princess-
loo-001106/](http://travel.cnn.com/tokyo/shop/sound-princess-loo-001106/)

~~~
microcolonel
Oh my god, that name is an amazing pun. Younger princess -> sound princess

~~~
arthurcolle
Can you explain this pun? Not getting it!

~~~
angrow
"otohime" is how to pronounce one of the terms of address for the second
daughter of the first Kamakura shogun. The Second daughter, hence, the
"younger princess".

The Japanese word for sound is also pronounced "oto". So, a device which makes
noise to help you be discreet...

~~~
labster
Plus oto- is a Latin prefix meaning ear. Multilingual puns are the best!

~~~
lsaferite
Interesting. I wonder how Japanese and Latin both ended up using 'oto' for an
auditory related word.

~~~
labster
Not sure on that, without invoking some vague talk about universal language
mumble Chomsky mumble mumble. It could be by chance, but things like the kiki-
bouba experiment suggest that the dice loaded, at the very least.

But things that look like cognates with Japanese do exist. Notably そう ("sou")
is pronounced the same as English "so" and means roughly the same thing, at
least in phrases like "is that so?" and "Make it so, Number One."

------
tharshan09
Can you send your own UDP packets to the elevator then?

~~~
TheGeminon
It would be possible to send packets to the elevator, but the elevator playing
them would be another issue. If there is no authentication at all (as it it
just plays all packets it receives on UDP 2046) I would imagine you would get
an interesting mix of "valid" elevator music and your own "invalid" music.

On the other hand, those first 8 bytes of the packet may be some
authentication/verification scheme which would have to be reverse engineered.
Also, it may only play UDP packets coming from 234.0.0.2:2046, which would
likely mean you would have to convince the DHCP server to assign you that
address instead of its intended host.

~~~
13of40
> convince the DHCP server

Or you could just manually configure your computer to use that address.

~~~
delinka
Or you can craft packets all day long with any source address you like and
dump them onto the network.

------
janci
Now I know what to do in a hotel!

[https://www.youtube.com/watch?v=1Un_oHaf798](https://www.youtube.com/watch?v=1Un_oHaf798)

~~~
nickpsecurity
Dude that's awesome! Thanks for the link.

------
tonyedgecombe
I was in an elevator a while ago when there was a ringing followed by a voice
trying to sell PPI services (a regular source of spam in the UK). The
emergency system was just an embedded phone.

~~~
benjohnson
In the US too - the reasoning is that it's simple and should work in a power
outage as the telephone company usually can power it from the central office.
Conversely, VoIP would depend on too many technologies working well to be
reliable enough for emergency use.

~~~
superuser2
I've definitely seen elevator phones attached to the PBX with VoIP trunking,
but all the components were on battery backups.

~~~
jlgaddis
At a previous employer (large .edu), we moved to VoIP several years ago but
keep several PSTN lines -- including all of the emergency ones, such as for
the elevator. We could have moved them to VoIP as well but we figured, in a
true emergency, it was one less thing to have to worry about.

~~~
godzillabrennus
In Chicago building codes mandate elevators have a pstn line in place.

Even luxury homes with small elevators.

~~~
hexane360
Well, I mean people have died from being stuck in their own elevators:
[http://www.cbsnews.com/news/elderly-couple-dies-trapped-
in-h...](http://www.cbsnews.com/news/elderly-couple-dies-trapped-in-home-
elevator/)

------
dkopi
Binwalk is a great tool for finding potential files within a given binary
stream:
[https://github.com/devttys0/binwalk](https://github.com/devttys0/binwalk) It
has an incredible list of supported file types.

~~~
jaybosamiya
Foremost is also extremely useful for the same purpose, and I've found it more
useful at least in my work during CTFs

[https://en.wikipedia.org/wiki/Foremost_%28software%29](https://en.wikipedia.org/wiki/Foremost_%28software%29)

A `sudo apt-get install foremost` works on Ubuntu to install it, IIRC

------
omash
That was just the carrier, hiding the steganographic payload.

~~~
Endy
I bet the payload is in that NES cartridge. Check the data against the NES
cart header list, or just try loading it in NESticle. That's what I would have
started with, rather than focusing on the meaningless LAME MP3 data.

~~~
kalleboo
There is no NES cartridge data. It looks like OP is using an outdated magic
file with a bug that was fixed in april
[https://fossies.org/diffs/file/5.26_vs_5.27/magic/Magdir/con...](https://fossies.org/diffs/file/5.26_vs_5.27/magic/Magdir/console-
diff.html)

------
daveguy
Spoiler:

Revelation/Disappointment -- it is elevator music.

Or is it? Maybe he gave up too quick. Maybe that is how they disguise the
secret spy transmissions!

[https://en.wikipedia.org/wiki/Steganography](https://en.wikipedia.org/wiki/Steganography)

~~~
internaut
Came here to say this.

There two modes. One for normal people. Parents, cops, investigative
journalists, government employees etc.

Then there's the mode for geeks. Then your base case should be that everybody
is Norman Bates

------
ReedJessen
This is really well written. Good length for one quick bus ride. I was on pins
an needles until the end. Great blog post.

------
mhd
You had to follow that shaggy dog a long time, but it finally led you to the
girl from Ipanema.

------
detaro
Reminds me how surprised I was when I found out that many IP phone
installations use multi-cast strictly to distribute on-hold music to all
phones, instead of the phones pulling files from a server or storing it
locally.

~~~
gvb
Two reasons:

1\. Multicast is 1:N so one stream can be played on all phones. Pulling the
files from a server would be N:N so your network bandwidth would be consumed
unnecessarily due to all the phones streaming the same data. Also, the phones
are going to have limited memory so storing music locally is not going to
scale well (phone memory is a cost that gets multiplied by N phones).

2\. Synchronization, especially for the elevator scenario: if the music
outside the elevator door isn't synchronized to the music inside the elevator,
it will be rather disconcerting.

BTW, I suspect the streaming audio you saw was "background music" that could
be played from the phones speakers. "Ambiance audio" would tie in with #2
synchronization; having adjacent phones playing unsynchronized "ambiance
audio" would also be jarring.

Music on hold will be inserted by the PBX (head end), not the individual
phones. Inserting "music on hold" by the phone would mean that music would be
sent by the PBX to the phone back to the PBX and then to the "on hold" line
where having the PBX insert it involves only the link from the PBX to the "on
hold" line.

~~~
detaro
Yeah, it's efficient and easy to update. Was just surprised since applications
for multicast crossing subnet borders are fairly scarce, so I guess multicast
routing got configured just for that, and is one of these things you don't see
mentioned very often. Thanks for the details!

------
SoonDead
Excellent story, although the URL spoiled it for me, might worth changing it
to something more vague.

~~~
slinkyavenger
It's about the journey, not the destination. But are you seriously suggesting
he change it to a clickbait URL?

~~~
brianpan
The story _is_ the journey, and there is no story without suspense. The URL is
the dust jacket- some people are going to see the URL even before the title.
No one said anything about clickbait. Any URL without the spoiler is better.

------
kw71
Next time you see a multicast stream, try playing it with vlc.

~~~
robterrell
That was my thought, too -- I would have just tried vlc and missed all the
coding fun.

~~~
Laforet
Me too. I had a friend who was convinced that he's being attacked when a
steady stream of UDP packets started reaching his router for days. Asked him
to open it in VLC and it turned out to be local news from his ISP's
misconfigiured IPTV service.

------
gnicholas
A story with a decidedly less innocuous outcome:
[https://medium.com/@nicklum/my-hotel-wifi-injects-ads-
does-y...](https://medium.com/@nicklum/my-hotel-wifi-injects-ads-does-
yours-6356710fa180#.y3bctq5uy)

------
known
I'd start with

tcpflow -p -C -i eth0 port 80 | grep -oE '(GET|POST|HEAD) .* HTTP/1.[01]|Host:
.*'

~~~
jlgaddis
cf. _ngrep_ [0]

[0]:
[https://en.wikipedia.org/wiki/Ngrep](https://en.wikipedia.org/wiki/Ngrep)

(Yes, I chose to link to Wikipedia instead of its home page on SourceForge.)

~~~
x0
Beautiful. Where has this been all my life.

------
ngcazz
As someone who doesn't really grok either Python or IP programming, I really
enjoyed how simple yet educative (and ultimately, funny) this blog post was.
Definitely will be trying this exercise the next time I end up at a hotel with
a laptop.

I wonder how hard it might be to hijack the stream to have the receivers play
your own packets.

------
Namidairo
Have you tried throwing the raw recording against SoX? Worked pretty well when
I had an unknown recording to play for which I had guessed the format. (Which
turned out to be IMA-ADPCM with reversed byte ordering)

------
nowprovision
ah damn, not a network guy but couldn't they put lifts on their own subnets
and avoid populuting the constrained airway. good read :)

------
buttershakes
It's probably a microphone hidden in his room that encodes the data
stenographically into elevator music.

More seriously, no investigation as to what happens when you try to inject
your own data?

------
deepsun
Does it drain battery of mobile devices not listening to the port?

Have you tried multicasting your own audio to the same port? That might have
been fun.

~~~
david-given
I did a bunch of multicast programming in the early days of Android, and I
discovered that:

\- most Android devices back then required a special OS call to tall the
wireless chipset to listen to multicast packets at all --- otherwise they'd
just ignore them and not wake up;

\- in about half the devices, this switch didn't actually work;

\- in an astonishing amount of consumer routers, multicast routing doesn't
actually work;

\- multicast on mobile is so, so, so not worth the effort.

I expect that multicast is way better supported these days. I would be totally
unsurprised if it were not.

~~~
indolering
> I expect that multicast is way better supported these days. I would be
> totally unsurprised if it were not.

I wouldn't be, how often is multicast really used? Coming from the broadcast
era, it seemed like a no-brainer. But the internet is built for n:n
communication. Special cases for n:1 cost more in terms of engineering effort
than would be saved in bandwidth and processing overhead.

~~~
SmellyGeekBoy
Some IPTV services in the UK use it (at least BT and TalkTalk with their
YouView packages and probably off-the-shelf YouView as well). I had a bit of a
nightmare trying to get it working with BT TV when I upgraded from their
godawful HomeHub to an ASUS router.

Pretty much every time I've upgraded my router firmware I've lost TV service
and had to reconfigure it. Apparently multicast is hard, even if you're a
networking company!

------
chris_wot
Er, if they are transmitting data to a multicast IP address, what's to stop
you doing the same?

If they haven't done a check on the IP address that they are receiving the
data from, then it would now be trivial to panic people in elevators by
recording a fake emergency broadcast.

Not jus that, but what else is that hooked up to? If they are multicasting to
your IP address and your IP address isn't the lift, then you can do some IGMP
snooping to see what else there is out there. Or you could do a DoS on the
lifts to see what happens.

Of course, it might be nothing. But when I get in a lift, I'd hope this sort
of thing wasn't possible.

------
caylorme
Now just copy the headers and send some multi cast audio of your own to hijack
the elevator and bathroom audio :) Could make for a good prank

------
djabatt
Great network engineering. I think we all need a set of tools that allow us to
find if we are being bugged by all the networked smartTV's, printers VOIP
phones etc. Not to mention the Amazon Echo. I dig it if someone had a
Wireshark/Python app that allowed everyone to listen to with Amazon Echo was
sending to Amazon.

~~~
darpa_escapee
The hacker in me would love to see an analysis of the traffic, but the
consumer in me hopes that the Echo sends and receives encrypted data.

------
daveheq
I love knowing I get spammed with elevator music over WiFi at a hotel the
whole time.

~~~
jdblair
A relaxed computer is a happy computer.

------
gravypod
I'd love to see someone spoof those UDP multicast and play death metal or
something rather then elevator music.

------
rocky1138
Out of general interest, do you have a copy of the mp3 we could listen to? I
couldn't find one in the article.

------
cmarcond06
Is this legal? What if the media was from Hotel Cameras?

~~~
icebraining
At least around here, if it was from cameras, the hotel would be the one
committing an illegality.

~~~
Endy
You don't have an expectation of privacy in hallways and elevators.

~~~
icebraining
Yes, I know that's the US concept. Around here the view is a little less
binary, as the law recognizes a difference between being seen (or even being
filmed occasionally, by an handheld camera) and surveillance cameras, which
can be used to track your movements.

The hotel could still have them, mind you, but transmitting them in the clear
would be a clear violation of the law, which in fact specifically cites the
"transmission of the recordings over a network" as something that must be
secured.

------
KillerRAK
I applaud the effort and your curiosity. Any good tunes on that stream?
Perhaps you're working on a remix?

------
selectiveupvote
Okay, I got a good laugh out of this one and appreciate it.

------
binaryanomaly
Hehe, nice story! Congrats ;)

------
lynxaegon
haha! Best reverse engineering of elevator music ever :)

------
m00dy
Nice story

------
matiasb
It was an ex-NSA agent talking to his mom :)

------
punnerud
Do you know you are a nerd when you laugh out loud after reading this?

My girlfriend: Was that something I would also laugh at? Me: Most likely not
;)

