A travel tip: When staying in a “capsule hotel,” the Japanese style of budget accommodation that packs guests into tiny, adjoining rooms not much bigger than their bodies, be considerate of your neighbors. Especially if the capsule hotel you're staying in offers digital automation features—and a hacker is staying in the next room over.
That's a lesson one pseudonymous security researcher will share in a presentation on his experiences hacking a capsule hotel's automation systems today at the Black Hat hacker conference in Las Vegas. The hacker, who is French but asked to be called by his handle, Kyasupā, says he found half a dozen hackable vulnerabilities in the internet-of-things systems used in a capsule hotel he stayed at in 2019. They allowed him to hijack the controls for any room at the hotel to mess with its lights, ventilation, and even the beds in each room that convert to a couch, all of which are designed to be managed by networked systems linked to an iPod Touch given to every guest.
“When I saw all of these features, I thought it was pretty cool, because it means that if I can hack them, I could potentially control all the hotel bedrooms, which is super fun,” Kyasupā wrote to WIRED in a text-message interview ahead of his Black Hat talk. “At the end, I found a total of six vulnerabilities, which allowed me to build an exploit to take control of any bedrooms I wanted from my laptop.”
Kyasupā demonstrated his hotel-hacking shenanigans in the video below, which shows him using a script on his laptop to turn the lights on and off in a series of three capsule hotel bedrooms. He also converts the bed to a couch and back, and turns a fan in the room on and off. Aside from trying out his hacking techniques in that video—filmed near the end of his stay without the hotel's permission—he says he went so far as to use his powers to take revenge on another guest in the hotel who had been keeping him up with loud late-night chatter, running a script that turned on the victim's lights every two hours and repeatedly converted his bed into a couch in the middle of the night. "I take my sleep seriously, especially on holidays," writes Kyasupā, who works as a consultant for security firm LEXFO. "He woke me up several times; it seems normal if it's my turn."
(Given that Kyasupā wouldn't share his real name, the name of the hotel whose systems he targeted, or the name of his victim, WIRED couldn't independently verify his story of hacking an actual hotel guest, only that he appears to have found and demonstrated real security vulnerabilities in the hotel's automation devices.)
Beyond those hijinks, Kyasupā argues his findings should serve as a broader warning about the internet of things. He points out that the Nasnos CS8700 router used in the hotel seems to be sold to consumers too, potentially leaving them open to similar mayhem. Nasnos, a home automation technology company based in the Japanese city of Sano, didn't respond to WIRED's request for comment on Kyasupā's findings.
Kyasupā wondered if he could hack his hotel's iPod Touch controls after they handed it to him at check in, but he didn't want to waste his vacation time reverse engineering the system. He says he changed his mind after a noisy neighbor kept him up for several nights. "I thought it would be nice if I could take control of his room and make him have a lovely night," he writes. "That's how I decided to start to analyze how everything worked."
The iPods the hotel issued as remote controls were locked with iOS' "guided access" setting that prevents users from leaving the Nasnos remote control app. But Kyasupā found he could simply let the iPod's battery drain and restart it to gain full access—a hard reboot is a known guided access workaround—and the iPod didn't have a PIN set for its lockscreen. He then saw that the iPod was connecting via Wi-Fi to a Nasnos router—each room seemed to have its own—that in turn connected via radio to the other digital devices in the room like its lights, fan, and foldout couch.
To intercept the app's commands from the iPod to the Nasnos router, Kyasupā knew he'd have to find the password to access that router. But remarkably, he found that the Nasnos routers used WEP encryption by default, a form of Wi-Fi security known for decades to be easily crackable. "Seeing that WEP is still used in 2019, it’s crazy," he writes. Using the program AircrackNG, he brute-forced the router's password and connected to it from this laptop. He was then able to use his Android phone as a Wi-Fi hotspot, connect the iPod to that hot spot, and route it through his laptop. Finally, he connected the laptop to the Nasnos router via Wi-Fi and used that setup as a man-in-the-middle to eavesdrop on all the iPod's communications to the router.
Kyasupā then tried out every function in the app—such as turning lights on and off, converting the couch to a bed, and so on—while recording the data packets sent for each one. Because the Nasnos app used no actual authentication or encryption in its communications with the router, other than the WEP Wi-Fi encryption, he could then connect to the room's router with his laptop instead and replay those commands to trigger the same changes.
Kyasupā still faced the task of figuring out how to connect to routers in other rooms. But at this point, he says, he left the hotel to visit another city, returned a few days later, and was given a different room in the hotel. When he cracked the password of that room's router too, he found that it had only four characters different from the first one. That lack of real randomization of passwords allowed him to easily brute-force all the passwords for other rooms in the capsule hotel.
One afternoon while the hotel was relatively empty, Kyasupā says, he walked over to his old noisy neighbor's room—the loud-talking offender was still staying in the hotel, the hacker claims—and found that room's router ID and password by standing outside of it and testing the lights to check that he had the right target. That night, as he tells it, he set his laptop to launch his script. He says he doesn't know how his target reacted; Kyasupā slept through the night and didn't see the neighbor again before he apparently checked out. "I'm sure he had a wonderful night," Kyasupā writes. "Personally, I slept like a baby."
After his trip, Kyasupā says he emailed the hotel to alert them to their vulnerabilities and also shared his findings with Nasnos, which didn't respond. He says the hotel did address the problems he told them about, switching its Nasnos routers to WPA encryption to make cracking their passwords far more difficult. He warns that anyone who uses Nasnos' home automation systems should similarly check to make sure they're not using WEP, and in cases of multiple routers in the same building such as a hotel, give each one random passwords that can't be derived from each other or easily brute-forced.
For the loud capsule hotel guest he says he tested his hacking techniques on, Kyasupā offers a different moral to the story. "I hope he'll be more respectful to his neighbors in the future," he says, "and that he is not too scared about ghosts."