July 31, 2005 5:00 PM PDT

Hacking the hotel through the TV

LAS VEGAS--When Adam Laurie stays at hotels, he says he can hack his way around paying for premium TV channels, the minibar and phone calls.

What's more, by connecting his laptop to certain modern hotel TV systems, Laurie says he can spy on other guests. He can't look into their rooms (yet), but depending on the system he can see what they are watching on their TV, look at their guest folios, change the minibar bill and follow along as they browse the Internet on the hotel television set.

To tease his fellow guests, he can also check them out of their room and set early wake-up calls via the TV.

Laurie can do all this because of what he calls the "inverted security model" of the systems. "The TV is controlling which content I get to see. The hotel in most cases is streaming all content without any control," Laurie said in a presentation Saturday here at the Defcon event for security professionals and enthusiasts.

By plugging the hotel TV cable into a USB TV tuner connected to a laptop computer, Laurie can hack his way into the back-end systems controlling the entertainment and other convenience features found in modern hotels, he said in his presentation.

He found that many of those systems give access to information depending on an ID associated with the room's TV. By changing that ID, he said that he was able to access information for other rooms. Many such hotel systems show guest bills, phone and room service records and offer video check-out.

Laurie found that the hotel TV systems also have special controls for hotel employees. Housekeeping staff can report a room as clean, for example. Additionally, he found that some systems let room service staff input billing for the minibar, which he now controlled.

"Sometimes you can actually control physical devices," Laurie said. In one Holiday Inn hotel he found the system that controlled an electronic lock on the minibar.

While staying at a Hilton hotel in Paris, Laurie automated his hack and placed a camera in front of the TV. He snapped pictures of every screen and found out the occupancy rate of the hotel, the names of the guests, what they were paying, where they were calling and how long they had been at the hotel. He showed the pictures at Defcon, but obscured the guest names.

Part of Laurie's hack is simple. He found that premium channels are actually being broadcast all the time; the TV just can't tune into them until the guest pays. If a someone brings in a TV--the laptop and USB TV tuner will do fine--and connects it, they're set.

It gets harder from there. Changing the ID of the TV requires some skill, as does finding the room service billing codes. The systems use codes entered on the TV remote. So Laurie carries around an infrared device that he connects to his laptop. He wrote a program that sends codes to the TV and in about 30 minutes finds the relevant ones.

And the situation isn't getting better. "They are starting to do things like allowing you to put credit card numbers in through the TV," Laurie said. Also, he said, some of the makers of these hotel systems are looking at adding Webcams, perhaps to let people chat over the Internet.

6 comments

Join the conversation!
Add your comment
Cool I'll be watching a lot more movies now!
Cool I'll be watching a lot more movies now!
But I also will say thats d^^ stupid of the hotels
to have the TVs networked like that.
Posted by (6 comments )
Reply Link Flag
Cool I'll be watching a lot more movies now!
Cool I'll be watching a lot more movies now!
But I also will say thats d^^ stupid of the hotels
to have the TVs networked like that.
Posted by (6 comments )
Reply Link Flag
Horels = easy hacking.
This is not new; I often brought a custom remote control or my PDA to hotel rooms. Most hotels use a CATV converter that simply restricts what channels you can go to. By using a universal remote you can change to these unlisted channels to see Pay TV and folios of other people.

The author is correct. These systems are very rudimentary and do not use encryption or non-standard signaling. They are modified CATV systems for the most part. Some newer hotels are using broadband modems connected to a scale in the mini-bar to report usage to the front desk. The cable system in a hotel room provides a wealth of (shared) data.

As a long time hacker I have hacked the electronic door access systems and the Premium Television services in hotels as well for personal enjoyment. I think hotels need to take a more serious look at security now that portable computers and electronics are more main stream now. These non-propriety technologies are no longer running in closed circuit isolation.
Posted by (16 comments )
Reply Link Flag
Horels = easy hacking.
This is not new; I often brought a custom remote control or my PDA to hotel rooms. Most hotels use a CATV converter that simply restricts what channels you can go to. By using a universal remote you can change to these unlisted channels to see Pay TV and folios of other people.

The author is correct. These systems are very rudimentary and do not use encryption or non-standard signaling. They are modified CATV systems for the most part. Some newer hotels are using broadband modems connected to a scale in the mini-bar to report usage to the front desk. The cable system in a hotel room provides a wealth of (shared) data.

As a long time hacker I have hacked the electronic door access systems and the Premium Television services in hotels as well for personal enjoyment. I think hotels need to take a more serious look at security now that portable computers and electronics are more main stream now. These non-propriety technologies are no longer running in closed circuit isolation.
Posted by (16 comments )
Reply Link Flag
TV signal hacking
Although cable TV is rumoured to be secure, a recent hacking of cable TV happened over here in Belgium. A Belgian TV celebrity got his television show hacked while he was covering the recent Steve Jobs speech. By chance it happened to be that he was recording his own private show at home and thus could register the succesfull hacking TV even though the studios swear the hacking did not occur at their premises.
Here's a digitized version: <a class="jive-link-external" href="http://www.brice.org/wp-content/movies/jt_pc_mac.mov" target="_newWindow">http://www.brice.org/wp-content/movies/jt_pc_mac.mov</a>
He's still searching for the culprits and how they did it technically.
Posted by josh_drucker (2 comments )
Reply Link Flag
TV signal hacking
Although cable TV is rumoured to be secure, a recent hacking of cable TV happened over here in Belgium. A Belgian TV celebrity got his television show hacked while he was covering the recent Steve Jobs speech. By chance it happened to be that he was recording his own private show at home and thus could register the succesfull hacking TV even though the studios swear the hacking did not occur at their premises.
Here's a digitized version: <a class="jive-link-external" href="http://www.brice.org/wp-content/movies/jt_pc_mac.mov" target="_newWindow">http://www.brice.org/wp-content/movies/jt_pc_mac.mov</a>
He's still searching for the culprits and how they did it technically.
Posted by josh_drucker (2 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.