Watch a Hacker Hijack a Capsule Hotel’s Lights, Fans, and Beds

T-Mobile is Warning that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. Get Secured Now with Norton 360

Kyasupā wondered if he could hack his hotel’s iPod Touch controls after they handed it to him at check in, but he didn’t want to waste his vacation time reverse engineering the system. He says he changed his mind after a noisy neighbor kept him up for several nights. “I thought it would be nice if I could take control of his room and make him have a lovely night,” he writes. “That’s how I decided to start to analyze how everything worked.”

The iPods the hotel issued as remote controls were locked with iOS’ “guided access” setting that prevents users from leaving the Nasnos remote control app. But Kyasupā found he could simply let the iPod’s battery drain and restart it to gain full access—a hard reboot is a known guided access workaround—and the iPod didn’t have a PIN set for its lockscreen. He then saw that the iPod was connecting via Wi-Fi to a Nasnos router—each room seemed to have its own—that in turn connected via radio to the other digital devices in the room like its lights, fan, and foldout couch.

To intercept the app’s commands from the iPod to the Nasnos router, Kyasupā knew he’d have to find the password to access that router. But remarkably, he found that the Nasnos routers used WEP encryption by default, a form of Wi-Fi security known for decades to be easily crackable. “Seeing that WEP is still used in 2019, it’s crazy,” he writes. Using the program AircrackNG, he brute-forced the router’s password and connected to it from this laptop. He was then able to use his Android phone as a Wi-Fi hotspot, connect the iPod to that hot spot, and route it through his laptop. Finally, he connected the laptop to the Nasnos router via Wi-Fi and used that setup as a man-in-the-middle to eavesdrop on all the iPod’s communications to the router.

Kyasupā then tried out every function in the app—such as turning lights on and off, converting the couch to a bed, and so on—while recording the data packets sent for each one. Because the Nasnos app used no actual authentication or encryption in its communications with the router, other than the WEP Wi-Fi encryption, he could then connect to the room’s router with his laptop instead and replay those commands to trigger the…