Kyasupā wondered if he could hack the hotel’s iPod Touch controls after they handed it to him at check-in, but he didn’t want to waste time on vacation by reversing the system’s engineering. He says he changed his mind after a noisy neighbor kept him awake for several nights. “I thought it would be nice if I could take control of his room and make him a pleasant night,” he writes. “So I decided to start analyzing how everything worked.”
IPods released by the hotel as remote controls are locked by iOS’s “guided access” setting that prevents users from leaving the Nasnos remote control app. But Kyasupā found that he could simply let the iPod battery discharge and restart it to gain full access – a hard reboot is a known guided access solution – and the iPod did not have a lock screen PIN set. He then saw the iPod connect to a Nasnos router via Wi-Fi — each room seemed to have its own — which in turn was connected by radio to other digital devices in the room, such as lights, fans, and a sofa bed.
To intercept application commands from the iPod to the Nasnos router, Kyasupā knew he would have to find a password to access that router. But remarkably, he discovered that Nasnos routers used WEP encryption by default, a form of Wi-Fi security that has been known for decades to be easily resolved. “The fact that WEP is still being used in 2019 is crazy,” he writes. Using the AircrackNG program, he rudely forced the router’s password and connected to it from this laptop. He could then use his Android phone as a Wi-Fi hotspot, connect an iPod to that hotspot, and point it through a laptop. Finally, he connected the laptop to the Nasnos router via Wi-Fi and used that setting as a man in the middle to eavesdrop on all of the iPod’s communication with the router.
Kyasupā then tried out all the features in the app – like turning the lights on and off, turning the couch into a bed and so on – while recording the data packets sent for each of them. Because the Nasnos app did not use actual authentication or encryption to communicate with the router, other than WEP Wi-Fi encryption, it could instead connect to the room’s laptop and repeat those commands to initiate the same changes.
Kyasupā was still faced with the task of figuring out how to connect to routers in other rooms. But at this point, he says, he left the hotel to visit another city, returned a few days later and got another room at the hotel. When he also hacked into the router password of that room, he discovered that it had only four characters different from the first. The lack of actual randomization of passwords allowed him to easily roughly impose all passwords for other rooms in a hotel with capsules.
One afternoon, while the hotel was relatively empty, Kyasupā says, he went to the room of his old noisy neighbor-criminal who was talking loudly while still in the hotel, the hackers claimed and found the router ID and password of that room standing outside and testing the lights to check if it has the right target. That night, he says, he set up a laptop to run his script. He says he doesn’t know how his target reacted; Kyasupā slept through the night and no longer saw the neighbor before he apparently checked out. “I’m sure he had a wonderful night,” Kyasupā writes. “I personally slept like a baby.”
After his trip, Kyasupā says he sent the hotel an email to warn them of their vulnerabilities, and he also shared his discovery with Nasnos, who did not respond. He says the hotel still solved the problems he told them about by switching their Nasnos routers to WPA encryption to make cracking their passwords far more difficult. He warns that anyone using Nasnos home automation systems should similarly check that they are not using WEP, and in the case of multiple routers in the same building, such as a hotel, give everyone a random password that cannot be performed from each other or easily brutally.
For the loud hotel guest in the capsule says he has tried his hacking techniques, Kyasupā offers a different moral in the story. “I hope he will respect his neighbors more in the future,” he says, “and not be afraid of too many ghosts.”
More great WIRED stories