The St. Regis, a five-star Chinese hotel controlled mostly by digital "butlers," was infiltrated by a hacker in only two days. Jesus Molina, a security specialist visiting the St. Regis on a business trip, announced a glaring vulnerability that he discovered in the "Internet of things" at this week's Black Hat hacker convention in Las Vegas.
Molina discovered that the iOS version that his hotel room was running was something that anyone could change. He used this to upload an "unlocked" version of iOS into the hotel's systems and tested the waters.
The St. Regis has over 250 rooms. Each guest receives an iPad with an app installed that controls room temperature, a do-not-disturb sign, and orders room service.
The signals being sent to and from the iPads to the hotel's server are unsecured. That meant that Molina could use a "sniffer" program to catch stray bits of data. His next step was to determine what segments of code controlled what, and it only took Molina a day or two to have the ability to make every electronic do-not-disturb sign on his floor blink rapidly.
Molina is a well-intentioned hacker, but glaring security flaws like the one at the St. Regis mean that companies need to rethink their foundations before diving headfirst into "smart" hotel rooms. Molina explained what fixing the flaw would cost the St. Regis to Wired Magazine.
“They have to take down the whole system,” Molina says. “They have to rewire everything and redo the information of every room. It’s not a bad thing that they did it wrong. At least they have been very open to fix all the problems.”
The hotel has updated their iOS systems, but their networks are still at risk. Molina warned hotels to update their systems against vulnerabilities like these. Personally, I'd take personal security over an in-room iPad any day. What do you think? Leave me a comment.