Ask your questions for Eli and the rest of the Silicon Discourse community here. Build your reputation by giving advice to others too!
Traveling a lot as an IT professional, I get bored at hotel rooms. I often start scanning the wireless network with nmap to find vulnerabilities. Sometimes the default gateway of the wifi subnet is the webpage of a router with a default username and password.
But today I found a website on the intranet hosting the complete security access system. Admin admin got me in. I can see all rooms, the guests names, change badges, lock people out, assign badges to rooms, see when people open their doors, full access to the configuration script, it’s all there!The supplier of this system even mentions this 4 star hotel on their website as a great recent accomplishment!
So now I would like to inform somebody about this ‘issue’, which also affects my own security. I am in a place far away from home, I don’t speak the language and I have no idea about the laws in this country. Just going to the receptionist and trying to explain seems not that smart since I think she isn’t allowed to have this level of access. Asking for the hotel manager might be a bad idea since he might not speak good English and might call the police. Sending an email to the hotel might also end up at the wrong person, or leave tracks to my home country and bring my company in problems. Our management uses this 4 star hotel every few months.
There might be a little logfile somewhere, that now lists my admin logon including timestamp, IP and MAC. So I start to get even more concerned about my own security. Do you think it is a good idea to do what I just did, and if yes, should I inform the hotel and how?
I’d just send an anonymous email, carefully worded (such that it can be google translated) explaining that you are a public spirited hacker with your white hat at a jaunty angle, and that there are some security problems you discovered when you were bored that might be putting their guests at risk. I’d give them a nice, concise list of the problems and how to fix them, and make it clear that they should make these known to the network admin, not that you are in any way ‘phishing’ for work or blackmailing them, you’re just the friendly neighbourhood security guy who stayed in their hotel.
I told my story to the 2nd director of my company, they couldn’t care less. Funny though, nothing more. They will not change that hotel deal because some nerd found a badge website. They will not mess up the relationship with that hotel just because 1 employee could illegally break into that system. Just use the vpn on your laptop and you are safe that’s all they care. They don’t want me to check security and hack.