Hacking Hotel Infrared Systems

From Wired:

A vulnerability in many hotel television infrared systems can allow a hacker to obtain guests' names and their room numbers from the billing system.

It can also let someone read the e-mail of guests who use web mail through the TV, putting business travelers at risk of corporate espionage. And it can allow an intruder to add or delete charges on a hotel guest's bill or watch pornographic films and other premium content on their hotel TV without paying for it....

"No one thinks about the security risks of infrared because they think it's used for minor things like garage doors and TV remotes," Laurie said. "But infrared uses really simple codes, and they don't put any kind of authentication (in it).... If the system was designed properly, I shouldn't be able to do what I can do."

Posted on August 1, 2005 at 1:21 PM • 24 Comments

Comments

DaedalaAugust 1, 2005 1:37 PM

I'm not sure this is an issue of the system not being designed properly. It seems more like an issue of it being repurposed improperly.

Smog FarmAugust 1, 2005 2:21 PM

Free hotel porn! His method requires too much work with a laptop and USB tuner... I'd rather plug the coax from the wall directly into the TV and bypass the hotel's black box. Why watch on my laptop, when I can see porn in all it's 27" glory!

Zed PobreAugust 1, 2005 2:29 PM

It is absolutely an issue of the system not being designed properly. This is the equivalent of using a trivially forgeable authentication key to allow access to confidential materials. If it were a bank allowing access to bank records or funds to anyone who claimed to be anyone else, I don't think there would be any question that this was horrible security. Why should it be different for hotel records or guest transmissions?

DaedalaAugust 1, 2005 2:40 PM

@Zed

I meant that the infrared protocols weren't originally used for information that needed protection. I'm not sure that changing tv channels and such really needed strong security.

The SSN, on the other hand, was always badly designed (no check digit) and has fared even worse as its been reused for different things.

Ben SmythAugust 1, 2005 2:40 PM

@Zed
I think Daedala's is suggesting the Hotel's system was poorly implemented.

There is obviously an issue if the bank permitted access to your funds or personal data; however, I don't care if anyone plucks my decision to flick over to Sky Sports out of the air*.


*except of course if I am supposed to be watching Sky News and my employer does the plucking.

DarkFireAugust 1, 2005 2:48 PM

Apply Occam's Razor...

Don't use the IR features!

A flippant reply perhaps, but sometimes the simple solutions really do remain the best...

Jo_AvaAugust 1, 2005 4:37 PM

Heh... recently we were exploiting the (free) wireless internet (probably using the Web-TV IR) in our upscale hotel in Houston, and thought we were getting away with something b/c the usual Internet fee was $9.95/day. We should have tried to get even more!

BryanAugust 1, 2005 4:46 PM

The IR portion of the system isn't really what's being hacked. The IR remote just an input device like a keyboard - Adam Laurie is simply mapping out the keyboard codes which travel by light pulses rather than wire.

The major weakness' are 1) that all data is being sent to the TV over an obscure but non-encrypted medium, and 2) there's no real authentication in place other than essentially a glorified channel-knob.

So you can secure 'your' IR input channel simply by closing door & drapes. BUT that's no barrier for the cracker who has tapped into the cable outlet in *his* room ... he can still simply tune in to 'your' channel and see/change your bill, know what movies you're watching, etc.

BryanAugust 1, 2005 4:55 PM

DarkFire:

Whether you use the in-room system or not, you're vulnerable. The properly-equipped guy in another room can still see your bill, order porn in your name, and watch it from the comfort of his own room. He probably can't get the beer out of *his* minibar and charge it to *you* though.

Davi OttenheimerAugust 1, 2005 7:42 PM

Nice, Laurie puts new meaning into the phrase "red spectrum". Hotels all over the world soon will have to change their check-in procedures:

"This room does not have a view or access to the pool, but it does come with InfraRed"

@ Bryan

"The IR portion of the system isn't really what's being hacked."

Correct, because the IrDA standard has no security. It was often referred to a means of connection only, NOT to be confused with a "network". Of course this becomes especially amusing when you consider that Microsoft's implementation of IrDA automatically connects to anything "nearby" and instantly allows you to drag-n-drop files onto a remote IrDA-enabled system (you can de-select "allow others to send me files via infrared") with the same authority as the recieving user (typically a local admin). The only real prevention is to disable the IrDA port, which takes us back to the heated discussion about PIN 0000 and Bluetooth.

Any chance that there will be a Hotel Whisperer as well as the Car Whisperer by the next Black Hat?

http://trifinite.org/blog/archives/2005/07/introducing_the.html

chrisAugust 2, 2005 12:29 PM

Wow, that guy did it the hard way, huh?

All you really need is one of these:
http://xrl.us/gyxf

Get it here for $149:
http://xrl.us/gyxg

Incidentally, that first link is the first result when you google for: philips institutional TV

I paid around $35 for my RC2573GR. I think I got it from replacementremotes.com, but they don't seem to have that part number. It may be known by another name.

GrainneAugust 3, 2005 4:57 AM

I think you are focusing too much on hacking free porn. What I'm more concerned about is the fact they can see other guest's names, numbers, read their email etc.
This could leave hotels at risk for lawsuits. Personal guest information should be encrypted anyway...

some pochoAugust 3, 2005 12:00 PM

google major 'malfunction IR' or check the layerone.info web site. there is much more than free content if you hack a hotel IR (minibar, billing system, premium channels, etc are only the start).

chrisAugust 3, 2005 1:59 PM

Who's focusing?

With the RC2573GR you can change the TV's address, making the billing system think that you're standing in a different room.

So, you can look up any room's folio, or order whatever services are availble to be ordered with the TV remote.

The whole thing is TV channels run over RG6 afterall. The security in the system comes from making it difficult to tune into certain channels, and the assumption that the addresses assigned to each TV stay on those TVs.

Further, there's more than just porn that comes across those "private" TV channels used by the system.

Whenever a guest uses the WebTV like function, they're just "watching" a TV channel that's mapped to the output of a specific windows box running a minimal user interface. Tune to that channel and you'll see everything the victim sees. If he's surfing web-based email, you'll see it.

Encyrpted? No way. It's broadcast wide open on a cable channel that's hard for you to tune in.

bRaderDecember 21, 2005 5:21 PM

Does anyone know where you can get a list of all the master setup remotes typically used for hotel tvs?? Or better yet the LIRC codes or CCF pronto file codes for these??

JeffOctober 2, 2007 9:55 AM

bRader- Almost 2 years late on this, but I have the Master Setup remote configs in IRTrans rem files for the Philips systems, the Zenith Concierce systems, and the RCA 300/400/600 Series which covers all of the Lodgenet and OnCommand systems I've seen. Email me at zerrick11 yahoo.com and I can send them to you.

Jeff SmithOctober 2, 2007 11:30 AM

bRader- I'm about 2 years late on this but I have the master remote codes for Philips, Zenith Concierge, and RCA 300/400/600 series OnCommand / Lodgenet systems in IRTrans .rem format. This covers all of the hotel systems that I've seen- you can email me at zerrick11 yahoo.com and I'll send them to you.

Jeff SmithNovember 12, 2007 10:18 AM

I've received several emails so I see this thread is still being read...and I'm looking for some .rem files to build my collection. Specifically, if anyone has an .rem file for the RCA ClonePro, or could lend me an RCA ClonePro for a few days please let me know. Also, looking for the new Lodgenet master remote (that works with the LRC3002 / LRC30002 guest remote)- either the .rem file or to borrow the remote for a few days.

If you have any of this, or need the master remote .rem files for Zenith (LG), RCA, or Philips commercial TVs then email me at zerrick11yahoo.com.

Jeff SmithNovember 15, 2007 4:52 PM

OK- I've gotten quite a few emails so I thought I'd set up a site for us to have further discussions on this. Check out http://www.hackinglodgenet.com for future discussions and updates.

I'll post more information over the next week or two, and I've already uploaded the remote control codes so they can be downloaded directly from the website.

CindyApril 28, 2010 10:44 PM

Can I connect the LodgeNet hotel wireless keyboard to my own laptop while in the hotel room. My keyboard is shot. What do you suggest? Thank you!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..