> These hackers, however, were good guys: IT consultants who were frustrated with their hospitality clients’ lax approach to security. To demonstrate the industry’s weaknesses, their leader arranged for a reporter to tag along on an audit of one of his clients’ hotels. The conditions: The hackers wouldn’t break into the personal devices of hotel guests, and neither the hotel, the city, nor the hackers could be named.
This paragraph could really use more clarity. I can't tell if these guys are authorized pen testers for the hotels, or if they're consultants for other parts of the IT stack who are doing this as gray hats.
The ambiguity you point out is almost certainly intentional, and reflects well on the reporter. If you were able to identify the details of the hackers' employment, the hotel in question could almost certainly identify their names and employer which would probably not go well for the hackers. There is a reason why journalists protect their sources.
I believe it. I was at a "boutique" hotel in paris, where the whole room was controlled by and ipad. There were still some switches but some control required an ipad.
(to light up the bathroom seemed to require the ipad.. it was frosted glass, but still..)
The software seemed to have some issues (gentle wakeup was turning the room lights on full, the TV on with a loud voice counting down from 100...).
Sometimes you just want a light switch.
My experience when working with companies installing wifi enabled power monitors, is you want that stuff on a separate network from anything connected to payments. Most places insist on that for PCI compliance.
I disagree - well designed smart devices (of which there are vanishingly few) are definitely worthwhile. The big feature is interop - I can script my lights, and I can drive them via my phone or a switch. It's been a huge quality of life increase IMO
I read that example on a forum thread about the GE lights:
"""
I have Philips Hue; it's brilliant. Have set up themes for Simulated daylight, Warm, Evening, Reading, Cinema and Nighttime (1 dim red light on each floor). Certain themes are timing-based, so on a schoolday the 'warm' theme gradually brightens to wake the kids up at 6:30am and get us ready for the day, . If it's a miserable day and I need to work at home, Simulated Daylight does the trick. After dinner the Evening theme kicks in with some soft colours, and at midnight the Nighttime theme comes on. Cinema turns off all lights except the TV Ambilight plus a dim red light in each room (so people can move around the house without turning lights on and disturbing the film watchers). The physical lightswitch in each room still works to turn lights on and off if I want to do it old school.
Smart is what smart does. Where I see added value in a smart system, I buy it. If I don't see value, I don't buy it.
"""
I recently stayed at a hotel (part of a national chain of business hotels, not a mom-and-pop roadside motel), and the front desk clerk pushed his keyboard forward to write something down for me, then stepped away to the back room with the paper he was writing on.
Beneath the keyboard, taped to the counter was a sheet of paper that not only had their internal Wifi password, but also a username for the POS system and an admin username that said "Admin login, emergency only!!!!!"
I pointed it out to the clerk when he returned, and he sort of laughed and said "I hope you didn't write that down!"
Additionally, the reporter went out of his way to say that the hackers promised to only target the hotel itself, but then goes on to describe how when it wasn't working, they ended up impersonating the Wifi and doing deauth attacks on guest devices to force them to use the fake wifi...
I can understand that the hackers were frustrated that their attempts didn't work out, but then they targeted guest devices because they were embarrassed. The reporter should have put a stop to it.
"Professional security consultants unable to hack hotel" is actually more interesting. I can see why the cybersec team didn't want to be named, the whole thing sounds more or less humiliating - despite standing on ironing boards to Bourne Supremacy the hotel, in the end they resort to WiFi spoofing which is pretty much the average freshman in every high school in America these days. Embarrassing.
Bloomberg is a great company, but I do agree that there’s something wrong with their investigative journalism. For a firm that has such high reputation and trust in the industry, they are really sloppy in a few areas.
This paragraph could really use more clarity. I can't tell if these guys are authorized pen testers for the hotels, or if they're consultants for other parts of the IT stack who are doing this as gray hats.