BSides Toronto 2020

The Great Hotel Hack: Adventures in attacking hospitality industry
2020-10-18, 11:00–11:20, Twitch

Ever wondered your presence exposed to an unknown entity even when you are promised for full security and discretion in a hotel? Well, it would be scary to know that the hospitality industry is a prime board nowadays for cyber threats as hotels offer many opportunities for hackers and other cybercriminals to target them and therefore resulting in data breaches. Not just important credit card details are a prime reason, but also an overload of guest data, including emails, passport details, home addresses and more. Marriot International where 500 million guests' private information was compromised sets for one of the best examples. Besides data compromise, surgical strikes have been conducted by threat actors against targeted guests at luxury hotels in Asia and the United States. The advanced persistent threat campaign called Darkhotel infected wifi-networks at luxury hotels, prompted the victim to download the malware and thus, succeeded in specifically targeting traveling business executives in a variety of industries and all its prevalence seems to have no end yet.

For a broader look, this time a popular internet gateway device for visitor based networks commonly installed in hotels, malls and other places that provides guests temporary access to Wi-Fi was examined. To see, how the guests and the hotels both have a serious stake in this, we will discourse about the working of guest Wi-Fi systems, different use cases and their attack surfaces: device exploitation, network traffic hi-jacking, accessing guest's details and more. Common attacks and their corresponding defenses will be discussed. This talk will contain demos of attacks to reveal how the remote exploitation of such a device puts millions of guests at risk.


My research comprises of the threat vector that specifically targets the internet gateway devices installed at most of the hotels worldwide to which the property management systems, internet of things, guest personal devices, hotel point of sale systems and corporate network is connected. Previous researches have shown the impact on point of sale systems and hotels' corporate network via spear phishing attacks but none of them have ever considered working on remote exploitation of the internet gateway device which once compromised leaves the hotel at the attackers' mercy, as seen in the past by advanced persistent threats like DarkHotel and APT28.

The hotels attack surface is considered limited to to Evil twin and spear phishing attacks. This research opens new door for security researchers to look at the device which most of the time exposed to the internet and can be the entry point to everything connected in hotel. This research is going to serve as an alert for guests and hotel owners to consider securing there infrastructure as such attack vector can put millions of guests and employees and reputation at risk.

Etizaz Mohsin is an information security researcher and enthusiast. His core interest lies in low level software exploitation both in user and kernel mode, vulnerability research, reverse engineering. He holds a Bachelors in Software Engineering and started his career in Penetration Testing. He is an active speaker at international security conferences. He has achieved industry certifications, the prominent of which are OSCP, OSCE, OSWP, OSWE, OSEE, CREST CRT, CPSA, EWPTX, CEH.