Hacker Takes Control of Devices in Every Room at Shenzhen St. Regis

If your hotel room’s lights begin to flicker, drapes start to move, or the TV turns on and off, you might think there’s a ghost in the room. Or, more probably, someone like Jesus Molina could be working the room’s gadgets.

While staying at the 5-star St. Regis in Shenzhen, about 19.2 miles north of Hong Kong, Molina claims he did just that by hacking into the hotel’s home-automation network, giving him control of devices in all 290 rooms.

This may be especially worrisome as hotels add wireless features to rooms in response to consumer demand — 94 percent of guests say WiFi is important when booking, according to a study by Forrester Research. And 34 percent of business travelers won’t stay at a place without it.

Molina started his experiment when he got bored, he explained in a presentation at Black Hat USA 2014, a conference for Internet security experts. So he picked up his room’s iPad, which is included in every room at the Shenzhen St. Regis. The iPad enables guests to wirelessly manage a room’s lights, thermostat, television, appliances and other features. But one room turned into many rooms after Molina began tampering with the iPad to make the “Do Not Disturb” signs on his floor pulse, according to an account of his talk at Wired.com.

“Guests make assumptions that the channel they are using to control devices in their room is secure,” Molina said. He had just begun to prove otherwise.

Molina discovered that the hotel was using an old communications system that lacked proper security. (You can read more about the technicalities here.) It didn’t take him long to tap into the Internet protocol addresses for each room, thereby allowing him to control those rooms’ devices. To validate his discovery, he filmed himself turning on a room’s lights from another part of the hotel.

Molina explained that given the hotel’s unstable wireless network, hackers would also be able to install the iPad’s application onto their own computers to control the hotel’s devices from anywhere in the world. “I could be in Berlin and the iPad could make me able (sic) to switch on the lights in the hotel at 3 a.m. from there,” he said.

Though Molina risked rattling the government, he revealed his escapades to the St. Regis’ chief security officer, who allegedly had been trying to resolve the issue for a while. “They have to rewire everything and redo the information of every room,” Molina explained. “It’s not a bad thing that they did it wrong. At least they have been very open to fix all the problems.”

While Molina says he found no evidence that the iPad also managed room locks, he remains concerned about the implications of his findings. He asked, “If I were able to control every device in your hotel room, will you move to another hotel tonight? The problem is we don’t care. More physical devices are doing these things. But what about privacy? The worst that could happen is that we don’t care. Welcome to 2084.”

Correction: Shenzhen is 19.2 miles north of Hong Kong. An earlier version of this article inaccurately stated it was 50 miles.

[Photo: St. Regis]