The premium movie playing on Adam Laurie's hotel room TV screen may not necessarily be one he paid for, perhaps not one intended for his room at all. One night out of boredom, Laurie said, he became interested in his hotel room's TV remote handset and, in the process of exploring it, gained access to premium services, to other guests' accounts, and to the hotel's main billing server.
Unless they are accessing the Weather Channel or CNN, most people do not give the common hotel TV remote a second thought. Then again, most people are not Adam Laurie. He is the chief security officer and director of a London-based networking company called Bunker Secure Hosting, housed inside a decommissioned missile silo outside of the town of Kent. His frequent travels and speaking engagements are the result of Laurie's world-renowned expertise in wireless vulnerabilities found in many gadgets today, including hotel TV remote systems.
Laurie, who still uses the nickname "Major Malfunction," discovered the possibilities after idly tinkering with infrared codes via his laptop one night in a Holiday Inn hotel room. Setting down his laptop, Laurie said he wanted to retrieve a cold beer from inside his previously unlocked minibar. Somehow he'd managed to change one critical value via the TV and locked the mini-refrigerator. If only to rescue his beer, Laurie said he was compelled to rediscover the exact numeric value that would unlock it. And, of course, one thing led to another.
Infrared signals on consumer gadgets are easily overlooked ("security by obscurity"). By comparison, there's the very basic radio frequency controls used in garage door openers. Garage door openers can be manually configured via a dipswitch circuit with eight possible on/off positions. That leaves 256 possible code combinations. Laurie has demonstrated at various security conferences a script he created that can run through all 256 combinations in a matter of minutes. With the script on his Linux laptop and a radio antenna, he can open just about any garage door. (He has also used a variation on the keyless entry attack to lock an employee's car in the parking lot after the owner attempted to unlock it. In Laurie's telling, the employee couldn't figure out why his key fob wouldn't open the door, much to the amusement of the rest of the staff watching from a nearby window.)
With TV remotes very few industry standards exist for infrared television remote signals. Those that do are proprietary. For example, a Sony TV remote won't work on a Samsung TV but might work with another Sony product, such as a Sony DVD player. No encryption or authentication is required to use a remote. No authentication handshake says that only a Sony remote with gadget number x can connect to a TV with gadget number y. This gives us the convenience of universal remotes, even though they require some initial programming by the end user if only to tell the universal remote what proprietary code to use.
Unlike the home version, hotel TV remotes include additional groups of code. The home edition includes volume, channel select and text mode. The hotel version includes codes for "alarm clock," "pay TV," "checkout," and "administration" (such as housekeeping). Hotels, however, use an inverted security model in which the end gadget, in this case the TV, filters the content. In other words, premium movies are broadcast all the time; you just need a way to access them. Instead of residing in a central server, access control is literally in the hands of paying hotel room occupants -- whether they realize it or not.
Laurie found he only needed a computer running the Linux operating system, an infrared transmitter and a USB TV tuner to access these extra groups of codes. While staying at a Hilton Hotel in Paris, he automated his attack, which enabled him to snap photographs of the various channels he could see and manipulate.
If he'd had malicious intent, Laurie could have zeroed his minibar balance, watched free premium movies, or surfed other people's email. Instead Laurie decided to deface the hotel welcome screen, take a photo, then restore the screen to its previous condition, later using the photo to show the hotel staff what he'd been able to do. "If the system was designed properly," Laurie said, "I shouldn't be able to do what I can do."
Yet, the ability to access the minibar records through the hotel television shouldn't be too surprising. Hotel TVs are connected by coaxial cables to a little metal box. So are the room's premium TV channels, VoIP, minibar and Game Boy or Wii entertainment system. This bundling of premium services is convenient from a hotel's point of view; management doesn't have to rewire each room whenever it adds a new service. And it's convenient from guests' perspective; they can check out anytime and bypass the front desk. But there's a flaw in all this convenience.
Using a computer TV tuner and his laptop keyboard as a remote control, Laurie said he is able to access information intended for other rooms within the hotel. Thus, Laurie can change the code and see the billing information for another room, any Web mail that person might be reading, or whatever premium porn channels that guest might be watching at the moment.
The hotel assumes that only you can see your account information. It further assumes that most people aren't connecting their laptop computers to their room TVs and accessing the hotel's private configuration codes. For the most part, that's true. But Laurie isn't the only security researcher to publicize this particular design flaw. Paul "Pablo" Holman of the Shmoo Group has also gone public with his own findings on hacking hotel room TV remotes. Another security researcher used only a basic cable converter box purchased on eBay to intercept the hotel codes in his room. Others have also found additional ways to defeat hotel TVs, such as plugging the coaxial cable into their laptops.
Realizing that his otherwise trivial hotel TV remote more or less holds the keys to the entire kingdom, Laurie has experimented at other hotels. He's seen only three or four different back-end systems used. By one estimate, one of up to 16,000 possible code combinations is required to unlock the services on any given hotel system; each new location could take Laurie hours to decipher. To speed that process, he created an automated script like the one he used to crack garage door openers to divine a particular hotel's relevant codes in about a half an hour. Laurie has no plans to release that script to the public. It exists only to further satisfy his curiosity.
In one hotel Laurie inserted an unblocked porn channel image onto the background of the welcome page -- temporarily and only to show the executive staff. Similarly, he once accessed the hotel's main server and had the option of crashing the entire system -- if he wanted.
That's where Laurie as a researcher differs from the criminals sometimes referred to in the media as "hackers." Laurie uses his experiences to educate people about the dark side of common gadgets. But what if someone really wanted to be malicious? Could that person use a common gadget to get sensitive information about us?
Lack of authentication allowed Laurie to gain access where he should not. In many systems we take for granted, this lack of authentication is all too common because the designers have not thought through the various ways in which someone could attack. Our growing need for convenience makes us accept clever shortcuts in exchange for security, shortcuts that in some cases may cost us money or, in extreme cases, our lives.
Excerpted from When Gadgets Betray Us: The Dark Side of Our Infatuation With New Technologies, by Robert Vamosi. Available from Basic Books, a member of The Perseus Books Group. Copyright 2011.
Read more Atlantic Technology Channel Book Excerpts.
Author photo: Nancy Warner; Jacket design: Alyssa Stepien.
We want to hear what you think about this article. Submit a letter to the editor or write to firstname.lastname@example.org.