Tencent Security Researcher Fined For Hacking Hotel WiFi and Publishing Internal Network Credentials Online (zdnet.com) 60
Catalin Cimpanu, writing for ZDNet: Singapore authorities have fined a Chinese security researcher with SGD$5,000 (USD$3,600) for hacking into a local hotel's WiFi system without authorization and then publishing a blog post about it, revealing passwords for the hotel's internal network. The incident took place at the end of August, this year, when Zheng Dutao, 23, of China, visited Singapore to attend the Hack In The Box conference that took place in the city. Zheng took it upon himself, without asking for permission first, to hack into the WiFi network of a Fragrance Hotel branch, where he checked in for the conference's duration. The researcher, who works for Chinese internet giant Tencent, hacked into the hotel's internet gateway system, an AntLabs IG3100 device that controls access to the WiFi network for staff and guests alike. He discovered that the device was using a factory default Telnet password, which he used to gain access to a limited shell on the device. [...] The researcher didn't report the security issues to the hotel but instead wrote a blog post about his findings, which he later shared online.
Should have Telnet disabled by default (Score:1)
Re: (Score:2)
Windows 7 default setting does just that, so if you want Telnet you have to manually enable it.
Yeah great solution, that'll stop people from using telnet to log into other peoples' wifi routers.
Hacked? (Score:5, Insightful)
Re:Hacked? (Score:5, Informative)
Well, yes. Also: Summer2018, Fall2018.
It's bad form to breach someone's network unannounced and then publish their internal passwords on your blog without informing them.
Re: (Score:1)
Except some routers have hardcoded admin passwords which can't be changed nor removed.
Call them intentional backdoors if you will.
[code]The TELNET service on the ZTE ZXV10 W300 router 2.1.0 has a hardcoded password ending with airocon for the admin account, which allows remote attackers to obtain administrative access by leveraging knowledge of the MAC address characters present at the beginning of the password. [/code]
Re: (Score:3)
Had he actually cracked the password, sure, no question but revealing that X is still using the _default_ admin password and is open to anyone using it, not so much. I agree an attempt should have been made to notify the hotel but given how some organizations react when you tell them that they left the door wide open (YOU'RE A HACKER!!! I'M CALLING THE AUTHORITIES!!!), that's not always the best thing to do either.
Re: (Score:2)
Or maybe he should have sought permission before attempting to gain access to the device.
What he did is a crime in the UK too.
Re: (Score:2)
The sum of what he did, sure especially rooting through the system to find the MySQL database and publish the decyphered password.
However, unless there was a prelogon banner message warning people off, attempting to logon using the default password and publishing that & the IP would not have been.
Re: (Score:2)
The moment he's asked to provide credentials and uses a credential not assigned to him he's broken the law.
There's no grey area here, it's a clear and obvious violation of a security control and a blatantly unauthorised access.
That the security was shitty is entirely fucking irrelevant, he should never have even known it was shitty.
Re: (Score:2)
So merely attempting to see if the default telnet password is still active on a publicly accessible device is defined as illegal access in the UK? Interesting.
You need at least a pre-login warning message that the system is not public access and that continuing is exposing you to charges if you continue in France.
Is doorknob rattling (seeing if the door is locked or not without entering) also illegal in the UK? Port scanning?
Re: (Score:2)
So merely attempting to see if the default telnet password is still active on a publicly accessible device is defined as illegal access in the UK?
It's section 1 subsection 1 of the Act. Can't get much simpler than that: https://www.legislation.gov.uk... [legislation.gov.uk]
You need at least a pre-login warning message that the system is not public access and that continuing is exposing you to charges if you continue in France.
Most systems in the UK will provide a similar warning, but the law doesn't mandate or require it.
Is doorknob rattling (seeing if the door is locked or not without entering) also illegal in the UK?
Technically even entering isn't illegal. It's a civil offence of trespass, not a criminal one. So no, I suspect not - but the police are likely to treat it as probably cause for searching you and potentially inviting you for a long conversation with them at the station. They may even offer you a cup of cof
Re: (Score:3)
Student does something a bit dumb "with a computer" is a story now? That makes me sad.
Re: (Score:2)
Student checks to see whether hotel has done something dumb, with a computer.
Student discovers the hotel has indeed done something dumb, with a computer.
Student uses computer to mention the discovery to other people with computers.
Hotel decides to shift blame for their mistake to student, probably the good old fashioned way with a phone call to the authorities. Just a hunch though.
Re: (Score:3, Insightful)
Try going around an apartment complex "testing" doornobs and see how long before someone confronts you or just outright calls the cops. You aren't allowed to do penetration test of other peoples' property without their permission.
Just because "its with a computer" doesn't really change anything. Someone leaving their front door unlocked doesn't mean you can come in and wander around. It's still trespassing.
So really, the article should of said, stupid person that thinks "on a computer" doesn't count.
Re:Hacked? (Score:4, Insightful)
This may come as a surprise, but in a real world analogy, if a business says to you "you aren't allowed on premise" and you choose to enter any way, you can be arrested even though the doors were unlocked and open to the public. It's called trespassing. So to map real world laws to computers, even if there was no security of any kind, accessing the computer without permission would be digital trespassing and would be illegal. Even if the general public is allowed but only you were specifically forbidden.
Re: (Score:2)
accessing the computer without permission would be digital trespassing and would be illegal
Sure, and "digital trespassing" is wrong (in my opinion). But its not "digital breaking and entering" (what I would consider hacking to be) (again, in my opinion).
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Yep, it's hardly hacking, and nonetheless stupid from the so-called security researcher.
I can't count the number of times where I could easily get full access to hotels wireless routers. It's most of the times completely open.
Once I could even see all the hotel stuff, invoices (they had an overdue internet bill for 3 months), ... That's what happens when hotels install the internet themselves like they do at home.
If he were American (Score:1)
he'd have been charged with life in prison for being a terrorist and whatever else.
Re: (Score:1)
Aaron Schwartz.
Re: (Score:2)
No need for exaggeration. He'd definitely be charged with a crime for unauthorized access and face jail time if he were in the US, and that's bad enough.
Re: (Score:2)
No need for exaggeration. He'd definitely be charged with a crime for unauthorized access and face jail time if he were in the US, and that's bad enough.
Why is that bad? He obtained login credentials that he wasn't authorized to have and posted them for the rest of the world to take advantage of, without telling the hotel that they had a problem.
Had he stopped at telling the hotel and let them fix it, that would be one thing. He didn't even bother telling them, but he told all his "hacker friends" so they could take advantage of the system.
Re: (Score:2)
Re: (Score:2)
I'll be there in a couple of months, so I've been researching in advance.
Must not import chewing gum!
He did publish passwords (Score:5, Insightful)
Bad passwords are no excuse for hacking. It may be a reason to put blame on the hacked organisation as well, especially if they are supposed to keep stuff safe. But primarily it's the hacker's fault, no matter how easy it was.
Re: (Score:2)
on the plus side this is probably the only time the company will change their passwords
hopefully
Re: (Score:2)
Bad passwords are no excuse for hacking. It may be a reason to put blame on the hacked organisation as well, especially if they are supposed to keep stuff safe. But primarily it's the hacker's fault, no matter how easy it was.
Yep.
I've even heard it called "blaming the victim" when easy access is blamed for unwanted entry.
Can't we just "teach men not to hack"?
Re: (Score:2)
Publishing the MySQL password, sure, but revealing that the hotel never changed the default admin telnet password, not so much.
Re: (Score:2)
Re:He did publish passwords (Score:4, Insightful)
I agree. And the term "security researcher" seems to be used quite inflationary these days. An actual researcher would have understood professional ethics.
Re: (Score:2)
It smells bad (Score:2)
"to hack into the WiFi network of a Fragrance Hotel branch"
If you tell it like that.
Tencent (Score:2)
Re: (Score:1)
Re: (Score:1)
useles news (Score:2)
and no link to blog post so I can decide myself if that was a hack or just using the default password.