The Hotel Hackers Are Hiding in the Remote Control Curtains - 11 minutes read
The Hotel Hackers Are Hiding in the Remote Control Curtains
Back doors to your personal data can be found in everything from smart fish tanks to Wi-Fi pineapples. Three men dressed for business travel in jeans and dress shirts loaded backpacks into the trunk of a black coupe and wound their way through the center of a major European city. When they arrived at their hotel, they unloaded their luggage and waited giddily to pass through the revolving doors. They were checking into the hotel to hack it. Hackers target financial institutions because that’s where the money is, and they target retail chains because that’s where people spend the money. Hotels might be a less obvious target, but they’re hacked almost as often because of the valuable data that passes through them, like credit cards and trade secrets. Thieves have targeted electronic door locks to burgle rooms and used malware attacks to log credit card swipes in real time. They’ve even used Wi-Fi to hijack hotels’ internal networks in search of corporate data. Just about all of the industry’s major players have reported breaches, including Hilton Worldwide Holdings, InterContinental Hotels Group, and Hyatt Hotels. The group’s leader checked in at the front desk. One of his associates strolled along the length of the reception area, noting that the property used an outdated point-of-sale system, and another used a mobile app called Fing to scan for hidden networks. While they waited for the staff to finish preparing their room, the hackers took coffee on a terrace. They opened up the published code for the hotel website and exploited an outdated plug-in to compile a list of admin names. Ultimately they were looking for a door. Sure, they could slip a thumb drive into the neglected register at the far end of the restaurant bar and log credit card numbers until somebody noticed the device. But they would rather find a way into the property management system, or PMS, which hotels use to take reservations, issue room keys, and store credit card data. Better still would be to do what they did at a hotel in New York City. After plugging the internet cable from the room’s smart TV into a laptop, they got into the hotel’s PMS, which led to the chain’s corporate system. Emails Bloomberg Businessweek viewed show they gained access to credit card information for years’ worth of transactions across dozens of hotels. If they had been crooks, the team would have sold the information on the black market, where a Visa with a high limit can go for about $20. These hackers, however, were good guys: IT consultants who were frustrated with their hospitality clients’ lax approach to security. To demonstrate the industry’s weaknesses, their leader arranged for a reporter to tag along on an audit of one of his clients’ hotels. The conditions: The hackers wouldn’t break into the personal devices of hotel guests, and neither the hotel, the city, nor the hackers could be named. Once they got to their room, the hackers concentrated on finding the hotel’s internal network—the one used by staff, not the one guests use to stream pornography and FaceTime their families. In one famous example, hackers breached the internet-connected fish tank in the lobby of a Las Vegas casino and used that exploit to find a database of high rollers on the property’s internal network. But this room was an older make, with a dumb TV, old phones, and a standard minibar, equipped with Heineken and Toblerone but no internet. Then one of the hackers started rooting around in the window frame. Nestled in a top corner was an internet port, designed to let guests open and close the curtains by remote control. “This will be the way in,” the leader said. How much of the responsibility for guarding electronic transmissions lies with hotels and how much with guests is “a nasty philosophical question,” says Mike Wilkinson, global director at Trustwave SpiderLabs. Mark Orlando, chief technology officer for cybersecurity at Raytheon IIS, advises corporate clients to avoid using personal devices altogether while on the road. That could mean requesting a loaner laptop or buying a burner phone. Even ordinary travelers should use virtual private networks to connect to the internet when outside the U.S., he says. But no amount of personal digital security could have saved travelers from the massive attack Marriott International Inc. discovered last year. In early September 2018, an automated security tool flagged a suspicious query in the reservation database for Starwood Hotels & Resorts Worldwide Inc., a company Marriott had acquired two years earlier. In the weeks that followed, security investigators discovered a remote access trojan (RAT), software that lets hackers take control of a target computer, as well as another piece of malware that scours computer memory for usernames and passwords. Clues left behind by the digital trespassers suggest they made off with as many as 383 million guest records, as well as more than 5 million unencrypted passport numbers and more than 9 million encrypted payment cards. Marriott hasn’t found any evidence of customer data showing up on dark-web marketplaces, CEO Arne Sorenson told a Senate committee hearing in March. That sounds like good news but may actually be bad. The lack of commercial intent indicated to security experts that the hack was carried out by a government, which might use the data to extrapolate information about politicians, intelligence assets, and business leaders. “From an intelligence standpoint, there are some real advantages to understanding where high-profile people are going to be ahead of time,” says Gates Marshall, director of cyber services at CompliancePoint Inc., whose consulting clients include airports. “There’s a market for travel itineraries. It’s not a commercial market, it’s more of a geopolitical one.” Sorenson has said he doesn’t know who’s responsible for the attack—and likely never will. Others have been more willing to point the finger, including U.S. Secretary of State Mike Pompeo, who attributed the hack to China in an interview with Fox & Friends in December. Hospitality companies long saw technology as antithetical to the human touch that represented good service. The industry’s admirable habit of promoting from the bottom up means it’s not uncommon to find IT executives who started their careers toting luggage. Former bellboys might understand how a hotel works better than a software engineer, but that doesn’t mean they understand network architecture. There’s also a structural issue. Companies such as Marriott and Hilton are responsible for securing brand-wide databases that store reservations and loyalty program information. But the task of protecting the electronic locks or guest Wi-Fi at an individual property falls on the investors who own the hotels. Many of them operate on thin margins and would rather spend money on things their customers actually see, such as new carpeting or state-of-the-art televisions. The result is a messy technological ecosystem that runs on old software. Many hotels use Opera, sold by Oracle Corp., as their PMS. A common version was designed for a legacy Windows operating system, and directs users to disable security features to make the software work. An instruction manual for the software starts with a step-by-step guide on how to lower your defenses: First, turn off data execution prevention, a feature that protects system memory from malicious code. Next, deactivate user account control, making it easier for hackers to gain administrator privileges. Finally, disable Windows Firewall. Now you’re ready to book reservations and take credit card payments. (Oracle’s security guide advises users to “harden” their operating systems after installation.) Even worse, many hotels put their PMS online, letting hackers break in from thousands of miles away. Joshua Motta, CEO of cyber insurer Coalition Inc., ran a search of the admin page used to support Opera online and found 1,300 instances of the application running on the public internet, from Newfoundland to the Maldives. “All of a sudden your system is only as secure as a username and password,” Motta says, “which hackers have repeatedly shown isn’t terribly effective.” “Customers are encouraged to upgrade their systems and software to the most recent version to provide the highest level of security measures available,” says Oracle spokeswoman Deborah Hellinger. While hotels are struggling with basic cybersecurity, they’re building massive databases of personal behavior. One of the ironies of the Marriott breach is that the company acquired Starwood because Sorenson thought adding its popular loyalty program and fancy hotels would give him a moat against digital middlemen, who seek to collect fees for helping travelers find hotel rooms. Marriott’s new heft would give customers more incentive to book directly with the company, cutting out Expedia, Booking.com, and other online travel agencies, as well as advertising giants Google and Facebook. At some properties, hotel brands are already collecting data on what temperature you like your room and how you like your eggs, betting that knowing that stuff can translate into better service. Other kinds of customer data—the annual conferences you attend or the date of your wedding anniversary—are largely untapped marketing opportunities. Some companies are also experimenting with putting voice assistants in their rooms or using facial recognition to streamline check-in. Privacy issues abound, but even more mundane advances are fraught with trade-offs between convenience and security. It’s increasingly common for travelers to check in to a hotel from a mobile app, bypass the front desk, and get into their room by using their phone as an electronic key. Read the rest in this link
Source: Brica.de
Powered by NewsAPI.org
Keywords:
Security hacker • Remote control • Personally identifiable information • Smartphone • Wi-Fi • Jeans • Backpack • Revolving door (politics) • Security hacker • Target Corporation • Security hacker • Credit card • Trade secret • Theft • Electronics • Door • Lock (security device) • Burglary • Malware • Credit card • Wi-Fi • Piracy • Hilton Inc. • InterContinental Hotels Group • Hyatt • Point of sale • Mobile app • Security hacker • Plug-in (computing) • USB flash drive • Credit card • Property management system • New York City • Internet • Cable television • Smart TV • Laptop • Corporation • Computer • Email • Bloomberg Businessweek • Credit card • Crime • Black market • Travel visa • Security hacker • Audit • Security hacker • Hotel • Hotel • Security hacker • Security hacker • Hotel • Pornography • FaceTime • Security hacker • Internet • Aquarium • Las Vegas • Casino • Database • High roller • Telephone • Mini-bar • Toblerone • Internet • Security hacker • Internet • Remote control • Mike Wilkinson • Trustwave Holdings • Orlando, Florida • Chief technology officer • Computer security • Raytheon • Internet Information Services • Client (computing) • Mobile device • Laptop • Prepay mobile phone • Virtual private network • Internet • Massive Attack • Marriott International • Database • Database • Starwood • Marriott International • Remote administration software • Informant • Security hacker • Malware • Computer memory • User (computing) • Password • Digital data • Encryption • Passport • Encryption • Marriott International • Dark web • Chief executive officer • Arne Sorenson • Commercial law • Security • Security hacker • Government • Data • Information • Politics • Intelligence • Business • Leadership • Intelligence • Point of view (philosophy) • Reality • Understanding • Person • Service (economics) • Corporation • Customer • Market (economics) • Market (economics) • Geopolitics • United States Secretary of State • Mike Pompeo • Security hacker • China • Fox & Friends • Human Touch • Industry • Software engineering • Network architecture • Structure • Software project management • Marriott International • Database • Computer data storage • Loyalty program • Information • Electronics • Wi-Fi • Property • Investment • Money • Ecosystem • Oracle Corporation • Operating system • User (computing) • Software • Software • Executable space protection • Random-access memory • Malware • User Account Control • Security hacker • Superuser • Windows Firewall • Credit card • Oracle Corporation • Security • Operating system • Internet • Security hacker • Chief executive officer • Insurance • Corporation • Web search engine • System administrator • Web page • Opera (web browser) • Internet • Application software • Internet • Newfoundland and Labrador • Maldives • System • Security • User (computing) • Password • Security hacker • System • Software • Oracle Corporation • Computer security • Marriott International • Starwood • Loyalty program • Hotel • Moat • Tourism • Hotel • Marriott International • Customer • Expedia (website) • Booking.com • Travel website • Advertising • Google • Facebook • Marketing • Facial recognition system • Privacy • Security • Tourism • Hotel • Mobile app • Mobile phone •
Back doors to your personal data can be found in everything from smart fish tanks to Wi-Fi pineapples. Three men dressed for business travel in jeans and dress shirts loaded backpacks into the trunk of a black coupe and wound their way through the center of a major European city. When they arrived at their hotel, they unloaded their luggage and waited giddily to pass through the revolving doors. They were checking into the hotel to hack it. Hackers target financial institutions because that’s where the money is, and they target retail chains because that’s where people spend the money. Hotels might be a less obvious target, but they’re hacked almost as often because of the valuable data that passes through them, like credit cards and trade secrets. Thieves have targeted electronic door locks to burgle rooms and used malware attacks to log credit card swipes in real time. They’ve even used Wi-Fi to hijack hotels’ internal networks in search of corporate data. Just about all of the industry’s major players have reported breaches, including Hilton Worldwide Holdings, InterContinental Hotels Group, and Hyatt Hotels. The group’s leader checked in at the front desk. One of his associates strolled along the length of the reception area, noting that the property used an outdated point-of-sale system, and another used a mobile app called Fing to scan for hidden networks. While they waited for the staff to finish preparing their room, the hackers took coffee on a terrace. They opened up the published code for the hotel website and exploited an outdated plug-in to compile a list of admin names. Ultimately they were looking for a door. Sure, they could slip a thumb drive into the neglected register at the far end of the restaurant bar and log credit card numbers until somebody noticed the device. But they would rather find a way into the property management system, or PMS, which hotels use to take reservations, issue room keys, and store credit card data. Better still would be to do what they did at a hotel in New York City. After plugging the internet cable from the room’s smart TV into a laptop, they got into the hotel’s PMS, which led to the chain’s corporate system. Emails Bloomberg Businessweek viewed show they gained access to credit card information for years’ worth of transactions across dozens of hotels. If they had been crooks, the team would have sold the information on the black market, where a Visa with a high limit can go for about $20. These hackers, however, were good guys: IT consultants who were frustrated with their hospitality clients’ lax approach to security. To demonstrate the industry’s weaknesses, their leader arranged for a reporter to tag along on an audit of one of his clients’ hotels. The conditions: The hackers wouldn’t break into the personal devices of hotel guests, and neither the hotel, the city, nor the hackers could be named. Once they got to their room, the hackers concentrated on finding the hotel’s internal network—the one used by staff, not the one guests use to stream pornography and FaceTime their families. In one famous example, hackers breached the internet-connected fish tank in the lobby of a Las Vegas casino and used that exploit to find a database of high rollers on the property’s internal network. But this room was an older make, with a dumb TV, old phones, and a standard minibar, equipped with Heineken and Toblerone but no internet. Then one of the hackers started rooting around in the window frame. Nestled in a top corner was an internet port, designed to let guests open and close the curtains by remote control. “This will be the way in,” the leader said. How much of the responsibility for guarding electronic transmissions lies with hotels and how much with guests is “a nasty philosophical question,” says Mike Wilkinson, global director at Trustwave SpiderLabs. Mark Orlando, chief technology officer for cybersecurity at Raytheon IIS, advises corporate clients to avoid using personal devices altogether while on the road. That could mean requesting a loaner laptop or buying a burner phone. Even ordinary travelers should use virtual private networks to connect to the internet when outside the U.S., he says. But no amount of personal digital security could have saved travelers from the massive attack Marriott International Inc. discovered last year. In early September 2018, an automated security tool flagged a suspicious query in the reservation database for Starwood Hotels & Resorts Worldwide Inc., a company Marriott had acquired two years earlier. In the weeks that followed, security investigators discovered a remote access trojan (RAT), software that lets hackers take control of a target computer, as well as another piece of malware that scours computer memory for usernames and passwords. Clues left behind by the digital trespassers suggest they made off with as many as 383 million guest records, as well as more than 5 million unencrypted passport numbers and more than 9 million encrypted payment cards. Marriott hasn’t found any evidence of customer data showing up on dark-web marketplaces, CEO Arne Sorenson told a Senate committee hearing in March. That sounds like good news but may actually be bad. The lack of commercial intent indicated to security experts that the hack was carried out by a government, which might use the data to extrapolate information about politicians, intelligence assets, and business leaders. “From an intelligence standpoint, there are some real advantages to understanding where high-profile people are going to be ahead of time,” says Gates Marshall, director of cyber services at CompliancePoint Inc., whose consulting clients include airports. “There’s a market for travel itineraries. It’s not a commercial market, it’s more of a geopolitical one.” Sorenson has said he doesn’t know who’s responsible for the attack—and likely never will. Others have been more willing to point the finger, including U.S. Secretary of State Mike Pompeo, who attributed the hack to China in an interview with Fox & Friends in December. Hospitality companies long saw technology as antithetical to the human touch that represented good service. The industry’s admirable habit of promoting from the bottom up means it’s not uncommon to find IT executives who started their careers toting luggage. Former bellboys might understand how a hotel works better than a software engineer, but that doesn’t mean they understand network architecture. There’s also a structural issue. Companies such as Marriott and Hilton are responsible for securing brand-wide databases that store reservations and loyalty program information. But the task of protecting the electronic locks or guest Wi-Fi at an individual property falls on the investors who own the hotels. Many of them operate on thin margins and would rather spend money on things their customers actually see, such as new carpeting or state-of-the-art televisions. The result is a messy technological ecosystem that runs on old software. Many hotels use Opera, sold by Oracle Corp., as their PMS. A common version was designed for a legacy Windows operating system, and directs users to disable security features to make the software work. An instruction manual for the software starts with a step-by-step guide on how to lower your defenses: First, turn off data execution prevention, a feature that protects system memory from malicious code. Next, deactivate user account control, making it easier for hackers to gain administrator privileges. Finally, disable Windows Firewall. Now you’re ready to book reservations and take credit card payments. (Oracle’s security guide advises users to “harden” their operating systems after installation.) Even worse, many hotels put their PMS online, letting hackers break in from thousands of miles away. Joshua Motta, CEO of cyber insurer Coalition Inc., ran a search of the admin page used to support Opera online and found 1,300 instances of the application running on the public internet, from Newfoundland to the Maldives. “All of a sudden your system is only as secure as a username and password,” Motta says, “which hackers have repeatedly shown isn’t terribly effective.” “Customers are encouraged to upgrade their systems and software to the most recent version to provide the highest level of security measures available,” says Oracle spokeswoman Deborah Hellinger. While hotels are struggling with basic cybersecurity, they’re building massive databases of personal behavior. One of the ironies of the Marriott breach is that the company acquired Starwood because Sorenson thought adding its popular loyalty program and fancy hotels would give him a moat against digital middlemen, who seek to collect fees for helping travelers find hotel rooms. Marriott’s new heft would give customers more incentive to book directly with the company, cutting out Expedia, Booking.com, and other online travel agencies, as well as advertising giants Google and Facebook. At some properties, hotel brands are already collecting data on what temperature you like your room and how you like your eggs, betting that knowing that stuff can translate into better service. Other kinds of customer data—the annual conferences you attend or the date of your wedding anniversary—are largely untapped marketing opportunities. Some companies are also experimenting with putting voice assistants in their rooms or using facial recognition to streamline check-in. Privacy issues abound, but even more mundane advances are fraught with trade-offs between convenience and security. It’s increasingly common for travelers to check in to a hotel from a mobile app, bypass the front desk, and get into their room by using their phone as an electronic key. Read the rest in this link
Source: Brica.de
Powered by NewsAPI.org
Keywords:
Security hacker • Remote control • Personally identifiable information • Smartphone • Wi-Fi • Jeans • Backpack • Revolving door (politics) • Security hacker • Target Corporation • Security hacker • Credit card • Trade secret • Theft • Electronics • Door • Lock (security device) • Burglary • Malware • Credit card • Wi-Fi • Piracy • Hilton Inc. • InterContinental Hotels Group • Hyatt • Point of sale • Mobile app • Security hacker • Plug-in (computing) • USB flash drive • Credit card • Property management system • New York City • Internet • Cable television • Smart TV • Laptop • Corporation • Computer • Email • Bloomberg Businessweek • Credit card • Crime • Black market • Travel visa • Security hacker • Audit • Security hacker • Hotel • Hotel • Security hacker • Security hacker • Hotel • Pornography • FaceTime • Security hacker • Internet • Aquarium • Las Vegas • Casino • Database • High roller • Telephone • Mini-bar • Toblerone • Internet • Security hacker • Internet • Remote control • Mike Wilkinson • Trustwave Holdings • Orlando, Florida • Chief technology officer • Computer security • Raytheon • Internet Information Services • Client (computing) • Mobile device • Laptop • Prepay mobile phone • Virtual private network • Internet • Massive Attack • Marriott International • Database • Database • Starwood • Marriott International • Remote administration software • Informant • Security hacker • Malware • Computer memory • User (computing) • Password • Digital data • Encryption • Passport • Encryption • Marriott International • Dark web • Chief executive officer • Arne Sorenson • Commercial law • Security • Security hacker • Government • Data • Information • Politics • Intelligence • Business • Leadership • Intelligence • Point of view (philosophy) • Reality • Understanding • Person • Service (economics) • Corporation • Customer • Market (economics) • Market (economics) • Geopolitics • United States Secretary of State • Mike Pompeo • Security hacker • China • Fox & Friends • Human Touch • Industry • Software engineering • Network architecture • Structure • Software project management • Marriott International • Database • Computer data storage • Loyalty program • Information • Electronics • Wi-Fi • Property • Investment • Money • Ecosystem • Oracle Corporation • Operating system • User (computing) • Software • Software • Executable space protection • Random-access memory • Malware • User Account Control • Security hacker • Superuser • Windows Firewall • Credit card • Oracle Corporation • Security • Operating system • Internet • Security hacker • Chief executive officer • Insurance • Corporation • Web search engine • System administrator • Web page • Opera (web browser) • Internet • Application software • Internet • Newfoundland and Labrador • Maldives • System • Security • User (computing) • Password • Security hacker • System • Software • Oracle Corporation • Computer security • Marriott International • Starwood • Loyalty program • Hotel • Moat • Tourism • Hotel • Marriott International • Customer • Expedia (website) • Booking.com • Travel website • Advertising • Google • Facebook • Marketing • Facial recognition system • Privacy • Security • Tourism • Hotel • Mobile app • Mobile phone •