Subj : Hotel network security
To   : All
From : Sean Dennis
Date : Wed Jun 26 2019 10:34 am

From: https://tinyurl.com/y5qvmcoy (bloomberg.com)

===
The Hotel Hackers Are Hiding in the Remote Control Curtains

Back doors to your personal data can be found in everything from smart fish
tanks to Wi-Fi pineapples. undefined

By Patrick Clark

Three men dressed for business travel in jeans and dress shirts loaded
backpacks into the trunk of a black coupe and wound their way through the
center of a major European city.  When they arrived at their hotel, they
unloaded their luggage and waited giddily to pass through the revolving
doors.  They were checking into the hotel to hack it.

Hackers target financial institutions because that's where the money is, and
they target retail chains because that's where people spend the money.
Hotels might be a less obvious target, but they're hacked almost as often
because of the valuable data that passes through them, like credit cards and
trade secrets.  Thieves have targeted electronic door locks to burgle rooms
and used malware attacks to log credit card swipes in real time.  They've
even used Wi-Fi to hijack hotels' internal networks in search of corporate
data.  Just about all of the industry's major players have reported
breaches, including Hilton Worldwide Holdings, InterContinental Hotels
Group, and Hyatt Hotels.

The group's leader checked in at the front desk.  One of his associates
strolled along the length of the reception area, noting that the property
used an outdated point-of-sale system, and another used a mobile app called
Fing to scan for hidden networks.  While they waited for the staff to finish
preparing their room, the hackers took coffee on a terrace.  They opened up
the published code for the hotel website and exploited an outdated plug-in
to compile a list of admin names.

Ultimately they were looking for a door.  Sure, they could slip a thumb
drive into the neglected register at the far end of the restaurant bar and
log credit card numbers until somebody noticed the device.  But they would
rather find a way into the property management system, or PMS, which hotels
use to take reservations, issue room keys, and store credit card data.

Better still would be to do what they did at a hotel in New York City.
After plugging the internet cable from the room's smart TV into a laptop,
they got into the hotel's PMS, which led to the chain's corporate system.
Emails Bloomberg Businessweek viewed show they gained access to credit card
information for years' worth of transactions across dozens of hotels.

If they had been crooks, the team would have sold the information on the
black market, where a Visa with a high limit can go for about $20.  These
hackers, however, were good guys: IT consultants who were frustrated with
their hospitality clients' lax approach to security.  To demonstrate the
industry's weaknesses, their leader arranged for a reporter to tag along on
an audit of one of his clients' hotels.  The conditions: The hackers
wouldn't break into the personal devices of hotel guests, and neither the
hotel, the city, nor the hackers could be named.

Once they got to their room, the hackers concentrated on finding the hotel's
internal network--the one used by staff, not the one guests use to stream
pornography and FaceTime their families.  In one famous example, hackers
breached the internet-connected fish tank in the lobby of a Las Vegas casino
and used that exploit to find a database of high rollers on the property's
internal network.

But this room was an older make, with a dumb TV, old phones, and a standard
minibar, equipped with Heineken and Toblerone but no internet.  Then one of
the hackers started rooting around in the window frame.  Nestled in a top
corner was an internet port, designed to let guests open and close the
curtains by remote control.

"This will be the way in," the leader said.

How much of the responsibility for guarding electronic transmissions lies
with hotels and how much with guests is "a nasty philosophical question,"
says Mike Wilkinson, global director at Trustwave SpiderLabs.  Mark Orlando,
chief technology officer for cybersecurity at Raytheon IIS, advises
corporate clients to avoid using personal devices altogether while on the
road.  That could mean requesting a loaner laptop or buying a burner phone.
Even ordinary travelers should use virtual private networks to connect to
the internet when outside the U.S., he says.

But no amount of personal digital security could have saved travelers from
the massive attack Marriott International Inc.  discovered last year.  In
early September 2018, an automated security tool flagged a suspicious query
in the reservation database for Starwood Hotels & Resorts Worldwide Inc., a
company Marriott had acquired two years earlier.  In the weeks that
followed, security investigators discovered a remote access trojan (RAT),
software that lets hackers take control of a target computer, as well as
another piece of malware that scours computer memory for usernames and
passwords.

Clues left behind by the digital trespassers suggest they made off with as
many as 383 million guest records, as well as more than 5 million
unencrypted passport numbers and more than 9 million encrypted payment
cards.  Marriott hasn't found any evidence of customer data showing up on
dark-web marketplaces, CEO Arne Sorenson told a Senate committee hearing in
March.  That sounds like good news but may actually be bad.  The lack of
commercial intent indicated to security experts that the hack was carried
out by a government, which might use the data to extrapolate information
about politicians, intelligence assets, and business leaders.

"From an intelligence standpoint, there are some real advantages to
understanding where high-profile people are going to be ahead of time," says
Gates Marshall, director of cyber services at CompliancePoint Inc., whose
consulting clients include airports.  "There's a market for travel
itineraries.  It's not a commercial market, it's more of a geopolitical
one."

Sorenson has said he doesn’t know who's responsible for the attack—and
likely never will.  Others have been more willing to point the finger,
including U.S. Secretary of State Mike Pompeo, who attributed the hack to
China in an interview with Fox & Friends in December.

Hospitality companies long saw technology as antithetical to the human touch
that represented good service.  The industry's admirable habit of promoting
from the bottom up means it's not uncommon to find IT executives who started
their careers toting luggage.  Former bellboys might understand how a hotel
works better than a software engineer, but that doesn't mean they understand
network architecture.

There's also a structural issue.  Companies such as Marriott and Hilton are
responsible for securing brand-wide databases that store reservations and
loyalty program information.  But the task of protecting the electronic
locks or guest Wi-Fi at an individual property falls on the investors who
own the hotels.  Many of them operate on thin margins and would rather spend
money on things their customers actually see, such as new carpeting or
state-of-the-art televisions.

The result is a messy technological ecosystem that runs on old software.
Many hotels use Opera, sold by Oracle Corp., as their PMS.  A common version
was designed for a legacy Windows operating system, and directs users to
disable security features to make the software work.  An instruction manual
for the software starts with a step-by-step guide on how to lower your
defenses: First, turn off data execution prevention, a feature that protects
system memory from malicious code.  Next, deactivate user account control,
making it easier for hackers to gain administrator privileges.  Finally,
disable Windows Firewall.  Now you're ready to book reservations and take
credit card payments.  (Oracle's security guide advises users to "harden"
their operating systems after installation.)

Even worse, many hotels put their PMS online, letting hackers break in from
thousands of miles away.  Joshua Motta, CEO of cyber insurer Coalition Inc.,
ran a search of the admin page used to support Opera online and found 1,300
instances of the application running on the public internet, from
Newfoundland to the Maldives.  "All of a sudden your system is only as
secure as a username and password," Motta says, "which hackers have
repeatedly shown isn't terribly effective." "Customers are encouraged to
upgrade their systems and software to the most recent version to provide the
highest level of security measures available," says Oracle spokeswoman
Deborah Hellinger.

While hotels are struggling with basic cybersecurity, they're building
massive databases of personal behavior.  One of the ironies of the Marriott
breach is that the company acquired Starwood because Sorenson thought adding
its popular loyalty program and fancy hotels would give him a moat against
digital middlemen, who seek to collect fees for helping travelers find hotel
rooms.  Marriott's new heft would give customers more incentive to book
directly with the company, cutting out Expedia, Booking.com, and other
online travel agencies, as well as advertising giants Google and Facebook.

At some properties, hotel brands are already collecting data on what
temperature you like your room and how you like your eggs, betting that
knowing that stuff can translate into better service.  Other kinds of
customer data--the annual conferences you attend or the date of your wedding
anniversary--are largely untapped marketing opportunities.  Some companies
are also experimenting with putting voice assistants in their rooms or using
facial recognition to streamline check-in.  Privacy issues abound, but even
more mundane advances are fraught with trade-offs between convenience and
security.  It's increasingly common for travelers to check in to a hotel
from a mobile app, bypass the front desk, and get into their room by using
their phone as an electronic key.

In an interview in June, Sorenson said that the hack had forced his company
to take a harder look at how it manages cybersecurity, adopting forensic
tools that it used in the wake of discovering the breach as part of its
daily security hygiene.  He also argued that privacy issues are manageable.

"The information that we want and you may want us to have, that allows us to
better serve you, is often not that sensitive," he said.  "The fact that you
like feather pillows, or a low floor, or a high floor.  Now it is personal.
But we're not collecting information about which man or woman you show up in
our hotel with and whether one's a spouse and one's not."

The internet-connected drapery hadn't led the hackers into the hotel PMS,
but it did set the team on a frenzied search for other connections.  One
hacker dragged a chair into the vestibule and balanced on the arms, the
better to lift a mahogany ceiling panel.  Another found an internet port in
the ceiling of the walk-in closet.  Only one problem: No one had brought a
10-foot cord.

"We should call housekeeping and ask for a ladder," one of them said.
"We're trying to hack into your network," he joked.  "Can I have a ladder?
Of course, sir.  Is there anything else I can do for you?" Instead, they
balanced an ironing board on an ottoman, rested a laptop on top of it all,
and plugged in, using a network scanner tool to search for IP addresses that
looked as if they could be hosting the PMS.

While they waited to find a signal, they took stock of the failures and
successes of the hotel's defenses.  All things told, the security was better
than the team expected, but it was still disconcertingly porous given the
presumption of safety most guests think they have inside a hotel.  If they
were actually trying to breach the network, they would have tried to crack
the hotel staff's accounts to try to take control of the hotel website.  At
a minimum, it would have let them collect credit card info from every new
booking.  Before they'd checked in to their room, the leader had used his
phone's hotspot to create a new Wi-Fi network, naming it after the hotel.
Within minutes, six devices had joined his spoofed network, exposing their
internet activity to the hackers.  (If he really wanted to go after guests,
he would have used a device called a Wi-Fi pineapple to automate the
process.)

It wasn't all bad.  When one of the hackers asked a waitress to charge his
phone, she went out of her way to plug the device into a wall charger
instead of her computer.  More important, the hotel's internal network was
well protected.

Impatient to speed up the process, the team leader called his office and had
a colleague look up the correct IP range for the hotel network.  The PMS,
however, didn't respond.  The door was locked.

But then another door opened.  One of the hackers used a kind of attack
called a distributed denial of service to kick a guest device, "Jamie’s
iPad," off the hotel Wi-Fi.  That could have been the prelude to tricking
her iPad into joining the spoofed network, and snooping on her
communications.  On the bright side, the hackers might never find out what
Jamie likes for breakfast.
===

Later,
Sean

--- MultiMail/Win
* Origin: Outpost BBS * Limestone, TN, USA (1:18/200)