Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security IT Technology

Tencent Security Researcher Fined For Hacking Hotel WiFi and Publishing Internal Network Credentials Online (zdnet.com) 60

Catalin Cimpanu, writing for ZDNet: Singapore authorities have fined a Chinese security researcher with SGD$5,000 (USD$3,600) for hacking into a local hotel's WiFi system without authorization and then publishing a blog post about it, revealing passwords for the hotel's internal network. The incident took place at the end of August, this year, when Zheng Dutao, 23, of China, visited Singapore to attend the Hack In The Box conference that took place in the city. Zheng took it upon himself, without asking for permission first, to hack into the WiFi network of a Fragrance Hotel branch, where he checked in for the conference's duration. The researcher, who works for Chinese internet giant Tencent, hacked into the hotel's internet gateway system, an AntLabs IG3100 device that controls access to the WiFi network for staff and guests alike. He discovered that the device was using a factory default Telnet password, which he used to gain access to a limited shell on the device. [...] The researcher didn't report the security issues to the hotel but instead wrote a blog post about his findings, which he later shared online.
This discussion has been archived. No new comments can be posted.

Tencent Security Researcher Fined For Hacking Hotel WiFi and Publishing Internal Network Credentials Online

Comments Filter:
  • Time to change the default configuration so that if you want Telnet you have to manually enable it.
  • Hacked? (Score:5, Insightful)

    by Nkwe ( 604125 ) on Tuesday September 25, 2018 @09:49AM (#57373086)
    So trying a default password on a device is "hacking" now? That makes me sad.
    • Re:Hacked? (Score:5, Informative)

      by bluefoxlucid ( 723572 ) on Tuesday September 25, 2018 @10:00AM (#57373152) Homepage Journal

      Well, yes. Also: Summer2018, Fall2018.

      It's bad form to breach someone's network unannounced and then publish their internal passwords on your blog without informing them.

      • by phayes ( 202222 )

        Had he actually cracked the password, sure, no question but revealing that X is still using the _default_ admin password and is open to anyone using it, not so much. I agree an attempt should have been made to notify the hotel but given how some organizations react when you tell them that they left the door wide open (YOU'RE A HACKER!!! I'M CALLING THE AUTHORITIES!!!), that's not always the best thing to do either.

        • by Cederic ( 9623 )

          Or maybe he should have sought permission before attempting to gain access to the device.

          What he did is a crime in the UK too.

          • by phayes ( 202222 )

            The sum of what he did, sure especially rooting through the system to find the MySQL database and publish the decyphered password.

            However, unless there was a prelogon banner message warning people off, attempting to logon using the default password and publishing that & the IP would not have been.

            • by Cederic ( 9623 )

              The moment he's asked to provide credentials and uses a credential not assigned to him he's broken the law.

              There's no grey area here, it's a clear and obvious violation of a security control and a blatantly unauthorised access.

              That the security was shitty is entirely fucking irrelevant, he should never have even known it was shitty.

              • by phayes ( 202222 )

                So merely attempting to see if the default telnet password is still active on a publicly accessible device is defined as illegal access in the UK? Interesting.

                You need at least a pre-login warning message that the system is not public access and that continuing is exposing you to charges if you continue in France.

                Is doorknob rattling (seeing if the door is locked or not without entering) also illegal in the UK? Port scanning?

                • by Cederic ( 9623 )

                  So merely attempting to see if the default telnet password is still active on a publicly accessible device is defined as illegal access in the UK?

                  It's section 1 subsection 1 of the Act. Can't get much simpler than that: https://www.legislation.gov.uk... [legislation.gov.uk]

                  You need at least a pre-login warning message that the system is not public access and that continuing is exposing you to charges if you continue in France.

                  Most systems in the UK will provide a similar warning, but the law doesn't mandate or require it.

                  Is doorknob rattling (seeing if the door is locked or not without entering) also illegal in the UK?

                  Technically even entering isn't illegal. It's a civil offence of trespass, not a criminal one. So no, I suspect not - but the police are likely to treat it as probably cause for searching you and potentially inviting you for a long conversation with them at the station. They may even offer you a cup of cof

    • by AmiMoJo ( 196126 )

      Student does something a bit dumb "with a computer" is a story now? That makes me sad.

      • Hotel does something dumb, with a computer.
        Student checks to see whether hotel has done something dumb, with a computer.
        Student discovers the hotel has indeed done something dumb, with a computer.
        Student uses computer to mention the discovery to other people with computers.
        Hotel decides to shift blame for their mistake to student, probably the good old fashioned way with a phone call to the authorities. Just a hunch though.
        • Re: (Score:3, Insightful)

          by sarren1901 ( 5415506 )

          Try going around an apartment complex "testing" doornobs and see how long before someone confronts you or just outright calls the cops. You aren't allowed to do penetration test of other peoples' property without their permission.

          Just because "its with a computer" doesn't really change anything. Someone leaving their front door unlocked doesn't mean you can come in and wander around. It's still trespassing.

          So really, the article should of said, stupid person that thinks "on a computer" doesn't count.

    • Re:Hacked? (Score:4, Insightful)

      by Anonymous Coward on Tuesday September 25, 2018 @10:41AM (#57373402)

      This may come as a surprise, but in a real world analogy, if a business says to you "you aren't allowed on premise" and you choose to enter any way, you can be arrested even though the doors were unlocked and open to the public. It's called trespassing. So to map real world laws to computers, even if there was no security of any kind, accessing the computer without permission would be digital trespassing and would be illegal. Even if the general public is allowed but only you were specifically forbidden.

      • by anegg ( 1390659 )

        accessing the computer without permission would be digital trespassing and would be illegal

        Sure, and "digital trespassing" is wrong (in my opinion). But its not "digital breaking and entering" (what I would consider hacking to be) (again, in my opinion).

    • Comment removed based on user account deletion
    • Yep, it's hardly hacking, and nonetheless stupid from the so-called security researcher.

      I can't count the number of times where I could easily get full access to hotels wireless routers. It's most of the times completely open.

      Once I could even see all the hotel stuff, invoices (they had an overdue internet bill for 3 months), ... That's what happens when hotels install the internet themselves like they do at home.

  • he'd have been charged with life in prison for being a terrorist and whatever else.

    • No need for exaggeration. He'd definitely be charged with a crime for unauthorized access and face jail time if he were in the US, and that's bad enough.

      • No need for exaggeration. He'd definitely be charged with a crime for unauthorized access and face jail time if he were in the US, and that's bad enough.

        Why is that bad? He obtained login credentials that he wasn't authorized to have and posted them for the rest of the world to take advantage of, without telling the hotel that they had a problem.

        Had he stopped at telling the hotel and let them fix it, that would be one thing. He didn't even bother telling them, but he told all his "hacker friends" so they could take advantage of the system.

    • This took place in Singapore and, as anyone who's ever worked in Singapore knows, almost everything is illegal and punishable by fines, canings, beatings or imprisonment. The authorities fine you $500 for carrying a Durian fruit on the subway...
      • by Cederic ( 9623 )

        I'll be there in a couple of months, so I've been researching in advance.

        Must not import chewing gum!

  • by gnasher719 ( 869701 ) on Tuesday September 25, 2018 @09:59AM (#57373150)
    There was no good reason for that. That's the point where it turned criminal for me. For others the point might have come earlier (I assume that he didn't cause any damage before that).

    Bad passwords are no excuse for hacking. It may be a reason to put blame on the hacked organisation as well, especially if they are supposed to keep stuff safe. But primarily it's the hacker's fault, no matter how easy it was.
    • on the plus side this is probably the only time the company will change their passwords

      hopefully

    • Bad passwords are no excuse for hacking. It may be a reason to put blame on the hacked organisation as well, especially if they are supposed to keep stuff safe. But primarily it's the hacker's fault, no matter how easy it was.

      Yep.

      I've even heard it called "blaming the victim" when easy access is blamed for unwanted entry.

      Can't we just "teach men not to hack"?

    • by phayes ( 202222 )

      Publishing the MySQL password, sure, but revealing that the hotel never changed the default admin telnet password, not so much.

    • Comment removed based on user account deletion
    • by gweihir ( 88907 ) on Tuesday September 25, 2018 @11:29AM (#57373614)

      I agree. And the term "security researcher" seems to be used quite inflationary these days. An actual researcher would have understood professional ethics.

    • by asylumx ( 881307 )
      If I enter your home, bypassing your obvious security measures but not breaking anything (picking your locks, perhaps?) are you arguing that I have not yet done anything illegal? In most countries, that is enough to make it criminal. In some US states, this is enough to warrant that the homeowner has the right to take the intruder's life.
  • "to hack into the WiFi network of a Fragrance Hotel branch"

    If you tell it like that.

  • Tencent, along with QQ, represents the shithole of the internet. I've had to block their entire assignment of IP addresses because nothing but intrusion and spam-sending attempts come from them. Good riddance!
  • and no link to blog post so I can decide myself if that was a hack or just using the default password.

You know you've landed gear-up when it takes full power to taxi.

Working...