IoT Ransomware against Austrian Hotel

Attackers held an Austrian hotel network for ransom, demanding $1,800 in bitcoin to unlock the network. Among other things, the locked network wouldn’t allow any of the guests to open their hotel room doors.

I expect IoT ransomware to become a major area of crime in the next few years. How long before we see this tactic used against cars? Against home thermostats? Within the year is my guess. And as long as the ransom price isn’t too onerous, people will pay.

EDITED TO ADD: There seems to be a lot of confusion about exactly what the ransomware did. Early reports said that hotel guests were locked inside their rooms, which is of course ridiculous. Now some reports are saying that no one was locked out of their rooms.

EDITED TO ADD (2/13): More information.

Tags: , , ,

Posted on January 31, 2017 at 8:49 AM34 Comments

Comments

pm January 31, 2017 9:18 AM

“Among other things, the locked network wouldn’t allow any of the guests to open their hotel room doors.”

I’ve read that this was exaggerated by press. Hotel just could program new key cards. See here: https://motherboard.vice.com/en_uk/read/luxury-hotel-goes-analog-to-fight-ransomware-attacks
“This is totally wrong,” hotel owner Cristoph Brandstaetter told Motherboard. “It was just a normal cyberattack and no guests were locked in.”
The main problem, according to Brandstaetter, was the hotel was unable to issue new key cards to guests who arrived during the 24 hours that the hotel’s reservation system was down. Ultimately, Brandstaetter was forced to pay the ransom after failing to secure help from the police.

Vesselin Bontchev January 31, 2017 9:25 AM

This has been debunked as mostly bullshit. The hotel computer was ransomwared and until the ransom was paid, no new keycards could be issued. The old ones continued to work. Nobody was locked – neither in, nor out.

Evan January 31, 2017 9:28 AM

Can we rebrand the Internet of Things into something else that better reflects how shortsighted and foolish the whole thing is? “Internet of Shit”, like the Twitter account, is probably too far, but perhaps something a little milder? IoD, the Internet of Dross?

Moshe Y January 31, 2017 9:30 AM

This will be quite the arms race.

Example 1) I wonder when we will see the first case(s) of disgruntled, discharged, or avaricious employees using ransonware against their employers — deliberately using physical access to infect networks and collect money anonymously.

Example 2) A sufficiently subtle class attack at the factory level might induce Ford to pay over quite a bit more to unlock all their F150’s…

Scared January 31, 2017 9:40 AM

“I demand a ransom of one thousand eight hundred dollars!”
So it wasn’t Dr. Evil, he would have asked for One Million Dollars.

M. Welinder January 31, 2017 10:06 AM

And as long as the ransom price isn’t too onerous, people will pay.

You really also need a way to present the demand to the user. For
thermostats I am not sure how you would do that.

Anura January 31, 2017 10:21 AM

@Scared

You can only charge what people are willing and able to pay. For a business, $1800 is a fairly small sum of money, one they are a lot more likely to pay, and if you are focusing on targets of opportunity the effort to attack a lot of businesses is not much more than the effort to attack one (especially if you don’t care about who you attack). Infect a thousand businesses, get 20 of them to pay, and you get a nice $36,000 payoff (which if you are in an impoverished country, that’s huge). With a larger scale operation involving a small team, infecting home computers for a smaller fee, you can easily make millions off of this stuff.

Josh January 31, 2017 10:25 AM

M. Welinder If a victim lived in a northern area and the temperature outside was -25° F I bet they’d pretty motivated to pay to regain control over their thermostat. Not everyone would know how to replace their thermostat or force their heater to turn on.

Jerry January 31, 2017 10:57 AM

@Josh:
I’m sure they’d have time to drive to the nearest hardware store and buy another thermostat. Houses don’t get cold that fast. I live where it gets that cold sometimes, and no heat for an hour or two would be noticeable, but not unbearable, and definitely not critical.

M. Welinder January 31, 2017 11:02 AM

@Josh: I get that, but unless you can present a demand to the victim, there
is no way for the victim to pay you or even know that ransom is being sought.
Thermostats don’t really have a lot of UI. (And hacking the thermostat
doesn’t mean the smartphone app will show anything useful.)

What will happen here is that some local hvac guy will be called who won’t
know the IoT from a frozen hole in the ground. He’ll install a dumb $30
thermostat and the problem will be solved.

GreenSquirrel January 31, 2017 11:13 AM

Ultimately, Brandstaetter was forced to pay the ransom after failing to secure help from the police.

To be fair, there isn’t much the police can do.

Once the ransomware has run its course, unless its a known broken version (where the key is stored with the payload etc) then there isn’t a lot anyone can do. It’s time to treat it as a catastrophic disk failure and rebuild / restore.

The real reason the hotel had to pay up is that they:

1) Dont have a decent way of screening inbound emails.
2) Dont have a decent antivirus package able to use heuristics
3) They overuse privileged accounts
4) They dont properly patch
5) Most importantly they dont have a robust back up process which feeds into their Service Continuity / Disaster Recovery plan.

Basically they saved money for years by underinvesting in security and now had to pay a bit of money as a result.

vas pup January 31, 2017 12:00 PM

Question to all:
Since ransom was paid in bitcoins which are our of banking system (and I guess of real control/regulation/oversight by LEAs around the globe) could recipient of ransom be traced back for any legal actions against perpetrator? Is US FINCEN ready to handle similar cases if it occurred in US?

Ross Snider January 31, 2017 12:14 PM

A possible solution (that does allow for federal backdoors) is a publicly funded labeling system (like food labels) that disclose the security properties of consumer and industrial devices. Security is mostly a hidden feature from customers, like nutrition is about food. Exposing that information makes it available to be a decision that can be made on the “free market”.

Anura January 31, 2017 12:56 PM

@Nick P

Wow, you have a different picture of Clive than me. I picture a tie-dye shirt, long grey beard and flip flops with some sort of head-wear (possibly a bandana), and a tool belt filled with small screwdrivers and a cordless soldering iron.

GreenSquirrel January 31, 2017 1:16 PM

Is US FINCEN ready to handle similar cases if it occurred in US?

As far as I am aware ransomware is a regular occurrence across the US and at least one US LE department has paid the ransom because they were also woefully prepared with basic IT service management disciplines.

Nick P January 31, 2017 1:20 PM

@ Alter Ego

However, it just came to my mind that there’s another person on this forum that image fits perfectly with. Matches some of the posts. I’ll leave it at that. 😉

Wael January 31, 2017 1:40 PM

@Anura, @Nick P and his Alter ego,

I always thought he looked more like this or this.

It’s really not that difficult to know what he looks like! He leaked the information once upon a time!

guess which group got dicked to do the belly crawling and such like, yup us squadies. So somewhere in that last hour of the film you will see us in the background being cannon fodder to the action.

Just watch the movie and look for him! He’s the one eyeballing the Sargent with them baby blues 🙂

Or, he could be this badass:

From now on, you’ll speak only when spoken to. And the first and last words out of your filthy sewers will be “Sir”. Do you maggots understand that?

Would be cute to hear the above clip in a British accent. Lol

albert January 31, 2017 1:52 PM

@Anura, @Nick P, et al,

OK, how about a Guess What Clive Looks Like Contest. Everyone presents a photo or drawing of an imagined Clive; the winner being determined the man himself.
(not open to anyone who’s actually seen Clive)

Token On-Topic Section:
@Ross, et al,
Right on! Even a simple security checklist would be better than nothing.

As always, no one provides any meaningful details. These sorts of Chicken Little stories do little except generate more fear. I’m guessing that the locks themselves had nothing to do with the event, so it’s not even an IoT situation.

Mass Stupidity Syndrome: 1. The proclivity of tech-challenged individuals to believe everything they read or see on the Internet is true. 2. The proclivity of tech-challenged individuals to believe everything must be connected to the Internet.

Throwing hardware into the mix could be dangerous. Remember, any -thing- connected to the Internet is part of the IoT, not just BS stuff like a light bulbs, thermostats, and ‘fridges.

Until the manufacturers and s/w vendors are held criminally liable, nothing will be done to increase computer security.

. .. . .. — ….

Kevin January 31, 2017 2:31 PM

@Anura: “Wow, you have a different picture of Clive than me. I picture a tie-dye shirt, long grey beard and flip flops with some sort of head-wear (possibly a bandana), and a tool belt filled with small screwdrivers and a cordless soldering iron.

Sounds more like “Big Clive” (Clive Mitchell) to me, maker of amazing youtube teardowns of sub-par electronic gizmos. He’s more EE than IT, so not a lot of IoT on his youtube channel.

MarkH January 31, 2017 2:51 PM

the Clive Robinson that can be described is not the eternal Clive Robinson

with apologies to Lao-Tzu (and of course, the real Clive Robinson)

Clive Robinson January 31, 2017 3:09 PM

@ GreenSquirrel,

Basically they saved money for years by underinvesting in security and now had to pay a bit of money as a result.

That’s part of the problem and occurs in companies of all sizes (do I dare mention SPE?).

However there is another problem that was more fundemental…

Their system architecture was wrong…

Ask yourself the question why an infected email could effect a computer running the card maker?

And you will see why no matter how much you spend on security products your systems will be vulnerable.

I could make some guesses as to why the linkage was so amenable to infection, but why spoil others fun thinking it through themselves.

@ Nick P’s Alter Ego,

We know who you are, you gave it away in the past, just remember to go bong when somebody puffs out your name like smoke signals driffting through the trees…

As,for what I look like I’ve mentioned it before. I’m around 2meters tall (which is why BF Skinner accused me of being a Klingon). I have a fifty inch chest and a smaller waist. I’m older than Bruce, and I have a full head of hair that is not grey and yes like Bruce I have a beard but mine only has a little badger in it. You should also know that I get around on walking sticks due to injuries from earlier in my life including playing a full contact sport that has similar impact but not the woosy body protection those playing “American football” do.

As for “head gear” yes I am known to wear it from time to time depending on the weather, it also helps reduce my occasional head bang with door frames etc, from concussion to eye watering.

As for looking like a tie-dye sixties hippy reject etc, nagh, many mistake me for what they think an Australian bush man might look like (even Australians make that mistake). When wearing the green I’ve been known to cause other soldiers near heart failure in the way I just “appear out of thin air” and wisper in their ear from above.

But you should already know all this I’ve mentioned it before…

You also know there are atleast five people in the UK with my name and some have their own Internet sites. Also that I look sufficiently like a friend that a hotel receptionist swapped our passports and immigration officers did not notice it. Also there is another person I’ve not seen for a while that looked sufficiently like me that my other half’s parents thought they were me from 20meters away.

Oh and to make it a little easier my face has appeared in a military magazine atleast three times…

But why people want to find out what I look like, where I live or get in contact etc I have no idea…

the big question January 31, 2017 6:16 PM

@Clive Robinson

Yes, you’ve described your appearance such that anyone who cares enough could find a photograph (assuming no false trails).

But would you ever use a cordless soldering iron?

Anura January 31, 2017 7:43 PM

@Clive Robinson

Speaking of American Football, superbowl is this weekend; some years back, an ecommerce company I worked for got hacked while all the admins were watching the big game. Lots and lots of credit card numbers stolen; we caught it the next day because servers started running out of memory (too many credit cards being buffered) – the only thing that saved us! I remember hearing of another data breach a few months later at another provider, which I suspected occurred around the same time but took longer to detect since they probably had a half-way decent platform that wasn’t ran as thinly as possible*.

So, let this be a lesson to you: choose a platform that is extremely fragile, and make sure you have at least one knowledgeable, diligent IT person on your team that you can leave behind whenever there is something fun to do to in order to reduce the risk of being hacked.

*people would occasionally hit us with a DOS, in which on or two IPs would bring down a hundred websites by overloading the server’s lone CPU.

Jen Gold Stockholm January 31, 2017 8:41 PM

@ Clive Robinson

re: disclosing so much of your identity

with all the special information you hold, are you/ have you been – concerned about non-thespian actors making discrete contact in meatspace? it’s refreshing to witness your lack of paranoia

Zaphod January 31, 2017 9:37 PM

So, what we know about Clive: A young, bald, slight midget without mobility issues. Furthermore he shaves twice daily to deal with a beard which would make Father Christmas blush!

Z

Clive Robinson February 1, 2017 12:11 AM

@ the Big question,

But would you ever use a cordless soldering iron?

If you look hard enough I answered that some years ago… It was in a comment about working in the offshore oil industry more than half a life time ago. When repairing a strain gauge cell sensor in a bouy used by oil tankers to take on oil. The bouy had a three meter turntable that rotated fairly freely, and you had to lay down with your head lower than your feet, with head and arms inside an Ex D cabinate and the rest of you in blazing sun light, and yes I was sick as a dog it’s why it took so long. All I had to do was solder a couple of wires, and as mains power is not available the answer to your question is yes.

@ Anura,

Speaking of American Football, superbowl is this weekend…

May it be a good clean game with lots of fast action, and which ever team triumphes I hope people will raise a glass to their success.

But yes big sporting events have been a time for computers to get attacked. Do you remember the several occasions when User Names and Passwords have been written up somewhere prominently only to get seen by a TV camera and broadcast to the world…

And just this past winter holiday, it would appear that attackers were “having a go at NATO” with quite sophisticated attack code framework that’s been dubbed “matryoshka doll reconnaissance framework”,

http://blog.talosintel.com/2017/01/matryoshka-doll.html

Which I’ve kind of been expecting for more than a decade now… But I’m guessing that less sophisticated cracks were still working well, which kind of says more about the security response –or lack there of– than the attackers.

I expect @Bruce will blog about it as it’s technically interesting.

But at the end of the day any “distraction” can be used by attackers. Thus I’d expect attacks at all major holidays, festivals and sporting events, but… There are other distractions with “flu” and “Winyer vomiting” seasons where staff are “out of office” but still working to try to meet targets etc. In many cases organisations are their own worst enemy when it comes to security and stress times.

@ Jen Gold Stockholm,

<

blockquote>have you been – concerned about non-thespian actors making discrete contact in meatspace?

I know people outside of the usuall suspects have tried to “find me” for some reason as they’ve said so on this blog. And yes as I’ve mentioned before some actors have tracked me down and tried to put the wind up me, and found their efforts not having the desired effect.

At the end of the day non clinical paranoia is a form of “fear of the unknown” giving a sense of lack of control etc that can become a downward spiral or tail spin. The solution is, as with a real tail spin to “do the opposite of expected and regain control”. Hopefully the OpSec and other info I’ve mentioned here in the past has helped people get/regain control.

When it comes to idiots trying to put the frightners on people, they tend to lack “creative imagination” which is a major weakness that you can exploit if you are prepared. As the military tend to point out the way to be prepared is to practice untill it’s second nature. There are many things people can do to build their confidence in such things, and luckily most of them tend to be good for you in other ways (think certain types of martial art that slow down or stop the appearence of certain old age symptoms).

For instance, as I’ve pointed out before, following someone who rides a push bike is a nightmare. They are to fast to be followed on foot to slow to be followed by car if they know the area they are in they can use alleyways and oneway streets the wrong way etc to stop motorised following dead in it’s tracks. Following them by using another cyclist is going to stand out thus be seen by the person being followed. Likewise using a helicopter is not going to work as they will hear it. Which kind of leaves “bugging” via mobile phones etc and “drones” the two technical scourges of this decade. As discussed previously there are ways to stop your mobile being used to bug you… As for drones the toys and semi-pro ones have issues that you can use against them, and a folding bike is good for that as well as stopping conventional tracker bugging. Which just leaves the very well funded very high level types that have access to military style drones and high altitude surveilence systems and considerable man power and resources. If you are of interest to them well you just have to up your OpSec game in other areas. Of course riding a bike gets you out doing healthy excercise, but it also alows you to be “a bit wierd” because whilst having dash cams in cars is now OK people walking around with similar is still suspicious/creepy unless they are on your bike riders helmet. Then it’s just mildly ammusing not suspicious/creepy. The advantage of this is if something does make your OpSec sixth sense itchy, you can look through the camera footage in detail and bring to the fore ground what your sub concious had noticed. It also alows you to check all number plates on cars etc that might be doing a “pass by and drop back group tail”. Just remember you need two cameras, one facing forwards one facing back, as anyone who has watched people being tailed will tell you most followers give the game away by the way they behave, especially when they think the person they are tailing is not looking at them. Interviews with people who have been kidnapped, indicate that those who are more alert spotted signs of being watched etc prior to being taken, but did not act on it. It would be interesting to know how many escaped being abducted just because they changed routies etc frequently but randomly.

Likewise CCTV footage of the area near where people have been abducted has been shown to have caught those doing it in their planning / setup phases. So if you save the footage every day onto backup, should something happen to you there is a better chance those involved will get fingered and dragged into the light of day.

As I have a habit of saying “technology is agnostic to it’s use” it’s the “directing mind” that makes it good or bad when seen from another minds point of view. And as I said above those that are the non thespian actors “tend to lack creative imagination which is a major weakness that you can exploit”. Surveillance works both ways, but they tend to forget that and then don’t like it when they find out…

@ Zaphod,

So, what we know about Clive…

You left out “the Hobbit feet” or “a hammock for a mouse” issue 😉

Long time no hear I trust you are well?

Jack Daniel February 1, 2017 8:50 AM

Obviously, you cannot be locked in your hotel room, same way as you cannot be locked in your own car.
From the available articles about this attack( lacking some details about their key system) it seems to me it was not an IoT attack but an old Server\computer one. Restricting access to certain files on the server would have prevented the making of the new keys; in this scenario it even makes sense the already issued keys were able to work until their expiration.

BarneyC February 2, 2017 7:59 AM

So as @JackDaniel alludes… the question I have is… “Is this really an IoT attack?”

As far as I can see the door lock was not network connected in anyway, merely a reader of code(s) on a card. If that is the case how can this be considered an IoT “thing” and therein this an IoT attack?

Does the computer count as IoT (oh please no), and is the lock by dint of loosely being controlled by that computer (albeit abstracted via a physical key card) render this part of the IoT?

Thoughts anyone?

Clive Robinson February 2, 2017 12:36 PM

@ BarneyC,

Thoughts anyone?

Back when I was designing electronic locks for hotels wireless networking was not available, nor for that matter 10BaseT it was 5V serial or nothing and “nothing” was very much the prefered option due to not just cabling cost but the unreliability of wires bending at door hinges.

In essence an electronic door lock is a real time clock (RTC) a simple solenoid driver and a card reader with some Electricaly modifiable memory.

The key card was an ABA magstripe card with a non standard data rate. On this would be a key type field, an idetifier and a start date and an expiry date. The identifier for a guest type key would be the room number, and zones etc for maid keys etc. The data on the card would be encrypted by the hotel ID number held in each lock and the Front Desk Unit (FDU) or Key Maker. In later models the dates would be further encrypted by the type and identifier. The lock would keep a log of the last ten, twenty five or one hundred accesses and the actual time and date from the RTC, in some cases this would be differentialy encoded from the previous time to cut down on the amount not just of storage but the power required.

Underneath the lock would be a RJ phone jack that emergancy powere and serial data could be supplied. This was used with a portable device based on the earlier Psion Organisers with very rudimentry security. The organisers had to be pluged into the FDU supposadly as a security check every eight hour shift, in reality it was to get the “correct time” with which the lock RTC would be updated. Also the lock log would be downloaded and the time correction difference noted.

Back then the FDU was actually an industrial control unit version of the BBC Modle B home computer, and one of the jobs I had was getting this shifted across onto a 286 based PC board running either MSDOS 3 or 4.

We were also approached at that tine by a number of Hotel Back End system supliers including IBM to integrate into their systems. They wanted “network” connectivity all I was happy to supply was RS232 with minimal data transfer which.was more than sufficient then and would still be today.

However marketing types are “feature hores” and want everything including the kitchen sink. Which is what was starting to happen when I moved into a different industry. From what I gather has happened guests are now “objects” of very large size and get injudiciously passed around the systems.

From a security point of view this is not a good idea especially when the FDU can change the object and pass it back…

But why let a thing like security get in the way of integrated marketing features, they are what the customer is buying, not security.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.