The flight was long, and all you want to do now is get to your room, have a drink, and go to sleep. You sit down at the desk in your room, log onto the hotel’s Wi-Fi and log into your email. This is about the time your phone beeps. It’s almost dead. Luckily, your room has a charging station right on the desk… How convenient! The iPod needs to be charged too, so it is slipped into the hotel’s radio dock to charge as you listen to music during emails.
Your defensive cyber security score is unsatisfactory.
It’s not your fault. You can’t be held accountable for what you don’t know. This article will provide an enhanced awareness of common cyber and technical threats, as well as best practices to adopt and protect your proprietary and personal information on the road.
Many of you probable already think you spotted the first mistake. Hotel Wi-Fi! Yes, it is on the list but we will get to that. In my past life in the military, we were always weary of hotel room desks. In fact, in some countries we just accepted we were probably being videotaped in our rooms. This threat is for all business travelers to consider and develop a course of action to mitigate. I’m not implying every aspect of the room is being recorded. Although there is no implication that every square foot of a room is being monitored, passwords and propriety information could be observed by a small camera planted within the area above the desk. You can attempt to locate the device, but only trained individuals with special equipment have that capability. The hackers could also be using the hotel’s internet to offload the images anywhere globally.
Below are three cameras that can be used for this. Their prices range from $25 to $125.
Three cameras: The thin black tube is a camera the width of a mechanical pencil eraser.
In hotel rooms, this type of criminal activity has become a “new norm.” But take a breath and relax. Let’s fix it. First, never attempt to look for these concealed cameras, as you will just provide comic relief for the perpetrators. Cameras set to log keystrokes and screens shots can be defeated. Don’t work at the workstation in the hotel room. Move your laptop to another area. Yes, I even move the desk. Why not? It’s my room. The camera will usually have been placed to view the workstation, so moving the desk even three or four feet will typically defeat it.
You now have options. You could call me paranoid and ignore me. (Note... I did not come up with this technique by myself.) Or you could share this with your colleagues, to make them aware of the threat.
Now, let’s review the convenience which the desk charging station affords. The USB slots on a charging station have the potential to provide a gateway to take information or leave a payload on your mobile device. This technique has been used in Eastern Block countries and like most vulnerabilities, is working its way to the United States. Hackers simply trade out the charging station with one that has a microprocessor in it. When I say microprocessor, think of a mini computer. One of the most popular mini computers commercial available for under $40 dollars is the Raspberry Pi. We will talk more about these in future articles.
A criminal rents the room for a night, and replaces the charger in the room with an exact copy in which they replaced the usual components with a little computer. At that point, they combine software and hardware exploits to steal data or deliver malicious payloads. USB exploits are tougher to execute than they were a few years ago, however, exploits are continually being developed. Plugging into any USB port that you don’t own is bad. Don’t do it. This means don’t do it in airports, on planes, rental cars, hotels, bars… You name it, don’t do it… at all… ever! The wall socket is safe (I think), but USB charging stations are not.
The next mistake made in the above scenario is using that iPod radio dock in your room. It’s so easy to just slide your device in it and listen to your tunes. The same principle applies… Don’t do it! Now you’re interacting with your device while it’s connected to that mini computer inside and it can be even easier to exploit. The pictures below show devices from actual hotel rooms. No one is ensuring these devices are safe for you to use. The turnover is too great. Remember, if I can rent the room for a night I can have free access to install and replace anything I want. The hotel may know if I take a beer out of the refrigerator but not if I trade out the charging station or radio.
This charger is easily found on line for purchase and can quickly be replaced with a hacker's modified version.
The fix is to use wall chargers or buy a data blocker. It will ensure that data is not transferred when charging, allowing only the power to flow. I use portapow, and have bought a number of them to provide to my course participants. I have never observed a failure to block data during testing. There are a lot of companies selling these products now. I’m not promoting one over another. Just make sure that you test it when you get it.
Another problem can be when you don’t buy directly from a manufacturer. There are a lot of counterfeit products that at best don’t work correctly, and at worse may actually have nefarious parts and software built into them. The cigarette adaptor is also safe to use in vehicles (again, I think).
These charging vulnerabilities need to address sooner rather than later. The current ease at which people plug devices into unknown charging docks is alarming.
This is the first of several articles regarding hotel room safety that I will be writing for RSA Conference. I’m going to stop here so you can start to correct possible deficiencies in your organizations. Later we will move into other flaws you’ll find where we rest our heads on the road. Please remember, just as you’re probably very good at your job, so are hackers, con artist, and professional criminals.
Just as you spend 40 to 60+ hours a week getting better at your job. Criminals spend as much time getting better at separating you from your money, intellectual property, corporate secrets, and even your life. Please instill this awareness with your employees and executives so that the adversary is never underestimated and remember that false security is worse than no security.
Follow-up topics will include safes (such an oxymoron), nightstands, RFID skimmers, and Ethernet use.
Dale Wooden (Woody) is a retired member of the military with 20 years of active duty experience. He consults for DOD, DARPA, MGM International, General Electric, and state and federal law enforcement agencies on combined cyber and digital signature awareness. His experience has given him a unique insight from the operational side of security and how to blend it with cyber. He is the President and Founder of Weathered Security.
For any follow on questions please contact Woody at firstname.lastname@example.org