Kyasupā wondered if he could hack his hotel’s iPod Touch controls after they handed it to him at check in, but he didn’t want to waste his vacation time reverse-engineering the system. He says he changed his mind after a noisy neighbor kept him up for several nights. “I thought it would be nice if I could take control of his room and make him have a lovely night,” he writes. “That’s how I decided to start to analyze how everything worked.”
The iPods the hotel issued as remote controls were locked with iOS’s “guided access” setting that prevents users from leaving the Nasnos remote control app. But Kyasupā found he could simply let the iPod’s battery drain and restart it to gain full access—a hard reboot is a known guided access workaround—and the iPod didn’t have a PIN set for its lockscreen. He then saw that the iPod was connecting via Wi-Fi to a Nasnos router—each room seemed to have its own—that in turn connected via radio to the other digital devices in the room like its lights, fan, and foldout couch.
To intercept the app’s commands from the iPod to the Nasnos router, Kyasupā knew he’d have to find the password to access that router. But remarkably, he found that the Nasnos routers used WEP encryption by default, a form of Wi-Fi security known for decades to be easily crackable. “Seeing that WEP is still used in 2019, it’s crazy,” he writes. Using the program AircrackNG, he brute-forced the router’s password and connected to it from this laptop. He was then able to use his Android phone as a Wi-Fi hotspot, connect the iPod to that hotspot, and route it through his laptop. Finally he connected the laptop to the Nasnos router via Wi-Fi and used that setup as a man-in-the-middle to eavesdrop on all the iPod’s communications to the router.
Kyasupā then tried out every function in the app—such as turning lights on and lights off, converting the couch to a bed, and so on—while recording the data packets sent for each one. Because the Nasnos app used no actual authentication or encryption in its communications with the router other than the WEP Wi-Fi encryption, he could then connect to the room’s router with his laptop instead and replay those commands to trigger the same changes.
Kyasupā still faced the task of figuring out how to connect to routers in other rooms. But at this point, he says, he left the hotel to visit another city, returned a few days later, and was given a different room in the hotel. When he cracked the password of that room’s router, too, he found that it had only four characters different from the first one. That lack of real randomization of passwords allowed him to easily brute-force all the passwords for other rooms in the capsule hotel.
One afternoon while the hotel was relatively empty, Kyasupā says, he walked over to his old noisy neighbor’s room—the loud-talking offender was still staying in the hotel, the hacker claims—and found that room’s router ID and password by standing outside of it and testing the lights to check he had the right target. That night, as he tells it, he set his laptop to launch his script. He says he doesn’t know how his target reacted; Kyasupā slept through the night, and didn’t see the neighbor again before he apparently checked out. “I’m sure he had a wonderful night,” Kyasupā writes. “Personally, I slept like a baby.”
After his trip, Kyasupā says he emailed the hotel to alert them to their vulnerabilities, and also shared his findings with Nasnos, which didn’t respond. He says the hotel did address the problems he told them about, switching its Nasnos routers to WPA encryption to make cracking their passwords far more difficult. He warns that anyone who uses Nasnos’ home automation systems should similarly check to make sure they’re not using WEP, and in cases of multiple routers in the same building such as a hotel, give each one random passwords that can’t be derived from each other or easily brute-forced.
For the loud capsule hotel guest he says he tested his hacking techniques on, Kyasupā offers a different moral to the story. “I hope he’ll be more respectful to his neighbors in the future,” he says, “and that he is not too scared about ghosts.”
More Great WIRED Stories