The premium movie playing on Adam Laurie's hotel room TV screen may not necessarily be one he paid for, perhaps not one intended for his room at all. One night out of boredom, Laurie said, he became interested in his hotel room's TV remote handset and, in the process of exploring it, gained access to premium services, to other guests' accounts, and to the hotel's main billing server.
Unless they are accessing the Weather Channel or CNN, most people do not give the common hotel TV remote a second thought. Then again, most people are not Adam Laurie. He is the chief security officer and director of a London-based networking company called Bunker Secure Hosting, housed inside a decommissioned missile silo outside of the town of Kent. His frequent travels and speaking engagements are the result of Laurie's world-renowned expertise in wireless vulnerabilities found in many gadgets today, including hotel TV remote systems.
Laurie, who still uses the nickname "Major Malfunction," discovered the possibilities after idly tinkering with infrared codes via his laptop one night in a Holiday Inn hotel room. Setting down his laptop, Laurie said he wanted to retrieve a cold beer from inside his previously unlocked minibar. Somehow he'd managed to change one critical value via the TV and locked the mini-refrigerator. If only to rescue his beer, Laurie said he was compelled to rediscover the exact numeric value that would unlock it. And, of course, one thing led to another.
Infrared signals on consumer gadgets are easily overlooked ("security by obscurity"). By comparison, there's the very basic radio frequency controls used in garage door openers. Garage door openers can be manually configured via a dipswitch circuit with eight possible on/off positions. That leaves 256 possible code combinations. Laurie has demonstrated at various security conferences a script he created that can run through all 256 combinations in a matter of minutes. With the script on his Linux laptop and a radio antenna, he can open just about any garage door. (He has also used a variation on the keyless entry attack to lock an employee's car in the parking lot after the owner attempted to unlock it. In Laurie's telling, the employee couldn't figure out why his key fob wouldn't open the door, much to the amusement of the rest of the staff watching from a nearby window.)
With TV remotes very few industry standards exist for infrared television remote signals. Those that do are proprietary. For example, a Sony TV remote won't work on a Samsung TV but might work with another Sony product, such as a Sony DVD player. No encryption or authentication is required to use a remote. No authentication handshake says that only a Sony remote with gadget number x can connect to a TV with gadget number y. This gives us the convenience of universal remotes, even though they require some initial programming by the end user if only to tell the universal remote what proprietary code to use.
Unlike the home version, hotel TV remotes include additional groups of code. The home edition includes volume, channel select and text mode. The hotel version includes codes for "alarm clock," "pay TV," "checkout," and "administration" (such as housekeeping). Hotels, however, use an inverted security model in which the end gadget, in this case the TV, filters the content. In other words, premium movies are broadcast all the time; you just need a way to access them. Instead of residing in a central server, access control is literally in the hands of paying hotel room occupants -- whether they realize it or not.
Laurie found he only needed a computer running the Linux operating system, an infrared transmitter and a USB TV tuner to access these extra groups of codes. While staying at a Hilton Hotel in Paris, he automated his attack, which enabled him to snap photographs of the various channels he could see and manipulate.
If he'd had malicious intent, Laurie could have zeroed his minibar balance, watched free premium movies, or surfed other people's email. Instead Laurie decided to deface the hotel welcome screen, take a photo, then restore the screen to its previous condition, later using the photo to show the hotel staff what he'd been able to do. "If the system was designed properly," Laurie said, "I shouldn't be able to do what I can do."