Kyasupā wanted to know if he could hand it over to his hotel’s iPod Touch controls to crack when he checked in, but he didn’t want to waste his vacation time to reverse engineer the system. He said that after a noisy neighbor let him sleep for several nights, he changed his mind. “I thought it would be great if I could control his room and let him spend a good night,” he wrote. “This is how I decided to start analyzing how everything works.”
The iPod released by the hotel as a remote control is locked by the “Guide Access” setting of iOS to prevent users from leaving the Nasnos remote control application. But Kyasupā found that he could simply let the iPod’s battery drain and restart it to gain full access — a hard reboot is a known boot access solution — and the iPod didn’t set a PIN for its lock screen. Then he saw the iPod connected to the Nasnos router via Wi-Fi—each room seemed to have its own router—and then connected via radio to other digital devices in the room, such as lights, fans, and folding sofas.
In order to intercept the application’s commands from the iPod to the Nasnos router, Kyasupā knew he had to find the password to access the router. But it is worth noting that he discovered that Nasnos routers use WEP encryption by default, which is a form of Wi-Fi security that has been known for decades to be easy to crack. “It’s crazy to see that WEP is still in use in 2019,” he wrote. Using the AircrackNG program, he brute-forced the router’s password and connected to it from this laptop. Then he can use his Android phone as a Wi-Fi hotspot, connect an iPod to the hotspot, and route through his laptop. Finally, he connected the laptop to the Nasnos router via Wi-Fi, and used this setting as a middleman to eavesdrop on all communications between the iPod and the router.
Kyasupā then tried every function in the app-such as turning on and off lights, turning the sofa into a bed, etc.-while recording the data packets sent for everyone. Because in addition to WEP Wi-Fi encryption, the Nasnos application does not use actual authentication or encryption in the communication with the router, then he can use his laptop to connect to the router in the room and replay these commands to trigger the same Change.
Kyasupā still faces the task of figuring out how to connect to routers in other rooms. But at this time, he said that he left the hotel for another city, returned a few days later, and got a different room in the hotel. When he also cracked the password of the router in that room, he found that it was only four characters different from the first one. Due to the lack of real password randomization, he can easily brute force all the passwords of other rooms in the capsule hotel.
One afternoon, when the hotel was relatively empty, Kyasupā said that he walked to his old neighbor’s room-the loud-speaking criminal was still living in the hotel, and the hacker claimed-standing outside and found the router ID and password. It also tests the lights to check if he has the correct target. That night, as he said, he set up his laptop to start his script. He said he didn’t know how his goal reacted. Kyasupā slept all night and didn’t see the neighbor again before he apparently checked out. “I believe he had a good night,” Kyasupā wrote. “Personally, I sleep like a baby.”
After the trip, Kyasupā said he sent an email to the hotel to remind them of their loopholes and shared his findings with Nasnos, but Nasnos did not respond. He said that the hotel did solve the problem he told them, switching the Nasnos router to WPA encryption, making it more difficult to crack the password. He warned that anyone using the Nasnos home automation system should similarly check to make sure they are not using WEP, and if there are multiple routers in the same building (such as a hotel), please provide each router with a random password that cannot be exported Come from each other or can be easily cracked by brute force.
To the loud capsule hotel guest, he said that he tested his hacking skills and Kyasupā provided a different moral to the story. “I hope he will respect his neighbors more in the future,” he said, “and he won’t be too afraid of ghosts.”
More exciting connection stories