The laptop's hard disk was encrypted, so the consultant wasn't bothered about the data, but, rather amusingly, the hard disk appeared on eBay a couple of days later. How did we know it was his? There can't be many hard disks with Coca Cola stains on them.
This incident reminds me of some research into hotel security we did a while ago.
Conventional key locks are indeed fairly secure, although lockpicking and "bumping" are always a problem. However, magnetic stripe keycards are now ubiquitous, and we believe there are vulnerabilities in these systems.
Next time you check into a hotel, take a look over the reception counter when your keycard is being encoded. Generally, the door locks on the room you are allocated will be synchronised with the encoder through a basic key exchange and time sync process.
After all, the locks themselves are standalone, so have no other way of synchronising with the encoder at the front desk. They are mapped to the encoder by manually going to each door with a digital keycard, attached to the encoder.
However, door locks occasionally fail or fall out of sync and have to be reprogrammed or resynched. And here lies the vulnerability: if you can get hold of a lock programmer and encoder then you can reprogram the door lock yourself.
The encoders aren't that easy to get hold of, but they do appear on eBay occasionally and can also be purchased from a tiny number of repair agents. Yet, the security model of some keycard systems appears to rely on the vendor and hotels keeping control of the distribution of encoders, which is clearly a weak model.
So if you assume that your hotel room can be broken into, presumably you can protect yourself by putting your valuables into the in-room safe? Not necessarily.
The latest generation of hotel safes use the room keycard for access. Some even offer querying for management over infra-red using a PDA, which could open up a whole new attack vector ...
So you're in your hotel room and your laptop and PDA are right there under your watchful eye. You need to complete and email a presentation to a client and log into the in-room internet access. If it's a wired web access system, then beware of a complete lack of segregation between users on that network. I know of one case where the hotel's booking systems were on the same open network as the guest rooms. Barmy!
And the entertainment facilities can also put you at risk. Research has been published in the past showing how easy it is to intercept other guests' billing data, even the movies they are watching. IPTV is emerging in hotels, bringing with it a whole new set of functionality - and security concerns.
Even the mini bar isn't as simple as it seems. Wireless mini bars offer wireless internet access and can also control the hotel room safe. They're increasingly common, some even featuring ethernet connections in the back. You may have noticed small sensors under the drinks bottles. You may be interested to know that most "smart" mini bars allow you a few seconds to take out the bottle to "inspect your potential purchase". If you replace it, you don't get charged. I wonder how long it would take to empty the bottle, fill with water and replace?
Hotels don't really care about the security of your possessions or personal data. They care about occupancy rates and selling additional services. If a new technology is likely to reduce costs or add revenue per guest, its security is unlikely to be questioned.
So is your stuff safer in the room than in your car in the car park? Probably. For now.
- Ken Munro is managing director of SecureTest. He can be contacted at firstname.lastname@example.org.
Hotel room security: Service not included
By Ken Munro on Nov 27, 2007 3:35PM