the great hotel hack
play

The Great Hotel Hack Adventures in attacking hospitality industry - PowerPoint PPT Presentation

Feb 06, 2023 •202 likes •1.11k views

The Great Hotel Hack Adventures in attacking hospitality industry Etizaz Mohsin https://etizazmohsin.com Disclaimer No hotels were harmed during making of this presentation Do not try this at home! Images Courtesy: ANTlabs & INTSIGHTS

  1. The Great Hotel Hack Adventures in attacking hospitality industry Etizaz Mohsin https://etizazmohsin.com

  2. Disclaimer No hotels were harmed during making of this presentation Do not try this at home! Images Courtesy: ANTlabs & INTSIGHTS

  3. What this talk is not about

  4. What this talk is about Biggest threats are simple not sophisticated

  5. Previous Research

  6. Agenda • Why Do hackers attack hotel • Attack surface walkthrough • Common attack vectors • Who are threat actors • Notable Data breaches • What led to my research • Demo NSA style hack • Mitigations

  7. Security Point Products • Network Security • Endpoint Security • Data Security

  8. “Supreme excellence consists in breaking the enemy's resistance without fighting” – Sun Tzu

  10. Why Do Threat Actors attack Hotel ? • Second largest number of breaches after retail sector • Prominent hotel brands attacked repeatedly • Collect sensitive, valuable and varied data • Manage large number of financial transactions • Uses loyalty programs to encourage repeated visits

  11. Hotel attack surface • Large quantity of diverse endpoints • Access to mothership • Lack of employee security awareness • Undefined security responsibilities • High exposure to third parties

  12. Attack Vectors • Attacks on Point of Sale • Spear phishing attacks • WIFI network attack • DDOS and Botnet attacks • Internet of Things attacks • Brand Impersonation • Customer targeted attacks • Ransomware

  13. Threat Actors • APT28 Fancy Bear

  14. Threat Actors • Darkhotel APT

  15. Notable Data Breaches

  16. Disclaimer Once Again!

  17. How did this all start?

  20. Disclosure Timeline • 2018-10-31 : First vendor notification – immediate response • 2018-11-12 : Technical details sent to vendor • 2018-12-10 : Vendor questions feasibility • 2018-12-15 : Proof of concept sent • 2018-12-17 : Vendor acknowledges vulnerability • 2018-12-20 : Vendor discusses update plans • 2019-04-01 : Vendor assures patching

  21. Hmm ??

  22. Wi-Fi

  23. Captive Portal • Radius • LDAP • Voucher • SMS • PMS • Social Login Management Billing Feature • Web portal • Credit Card • Role based access • PMS (FIAS) • DNS server • DHCP • Firewall • Lawful interception

  24. Target Selection

  25. Attack Surface

  26. Web Management Portal • Get private data • Subscriber’s details, Network configuration, DHCP, DNS, firewall rules • Backup, logs, PMS, Guest details, SSL, SMTP • Set every parameter • DHCP, DNS, WAN, LAN, Route Configuration • Port forwarding, Syslog, SSL • Download • Configuration, database, backup, logs • Upload • Backup, Images

  27. Web Server

  34. TLS Certificates

  35. Database

  36. Read Write

  37. Firewall rules

  38. Configuration

  39. Guest Details

  40. Guest WIFI Configuration

  41. Session Riding

  42. Plain Text Credentials

  43. Enumerating Users

  44. SSH

  45. System

  46. Tools

  47. Configuration

  48. Owning DNS • HTTP/S Downgrade • Sniff plain text credentials • FakeDNS • WPAD abuse • Hash capture (http_ntlm) • Beef Hooks • Browser autopwn2 • Evilgrade • BDFProxy

  49. User Reset

  50. Management Portal

  51. Active Users

  52. Mac Addresses

  53. User Details

  54. DHCP Configuration

  55. DNS Configuration

  56. DNS Enteries

  57. DYNDNS Configration

  58. Network Configuration

  59. Routes

  60. Network Configuration Review

  61. Port Forwarding

  62. SSL Overview

  63. Subnets

  64. Interception

  65. Firewall rules

  66. Logs

  67. Guest Details

  68. PMS

  69. Backup

  70. SMTP

  72. GUESS WHAT ?

  73. DEMO

  75. So, Who is Vulnerable ?

  76. Once, we own the main box! • PMS • Corporate network • Electronic door locks • Alarm • HVAC • Guests devices • IOT devices • CCTV • In fact anything connected to the gateway

  77. Mitigations for Guests

  78. Mitigations for Guests

  79. Mitigations for Guests

  80. Mitigations for Guests

  81. Mitigations for Guests

  82. Mitigation for Guests

  83. Mitigation for Guests

  84. Mitigation for Owners • Train and re-train your staff • It takes one click on wrong link • Train employees on best practices and common attack vectors

  85. Mitigation for Owners • Strengthen your infrastructure • Avoid easy to guess passwords on POS • Use 2FA authentication • Ensure end point protection is up to date • Separate POS network from other • Filter remote access for POS controller • Segment WIFI Networks

  86. Mitigation for Owners • Regulate vendors • Ensure vendor meets compliance standard • Regularly assess the risk of their vendors and partners

  87. Mitigations for Owners • Threat hunt inside your network • Hackers move around to find valuable data • Monitor network traffic to identify suspicious activity and discover unauthorized access

  88. Mitigations for Owners • Create a incident response plan to speed up mitigation process.

  89. Conclusion • Stay aware while traveling • Use VPN or 4G LTE • Advanced persistent threats are devastating • Biggest threats are simple not sophisticated • No sign that attacks will slow down across any industry

  90. Thank You https://www.linkedin.com/in/aitezaz/

Recommend

SLIPPERY SLIDES HACK.|100% WORKING!|NEW METHOD|HACK TOOL. Free No Ads Hard-Boiled Egg Hack Goes

SLIPPERY SLIDES HACK.|100% WORKING!|NEW METHOD|HACK TOOL. Free No Ads Hard-Boiled Egg Hack Goes

SLIPPERY SLIDES HACK.|100% WORKING!|NEW METHOD|HACK TOOL. Free No Ads Hard-Boiled Egg Hack Goes Viral on Twitter By using our site, you acknowledge that you have read and understand our Cookie PolicyPrivacy Policyand our Terms of Service.

1.1k views • 3 slides
Hack The CPython Batuhan Taskaya @isidentical What is hacking? Why do we hack? Yes, we want

Hack The CPython Batuhan Taskaya @isidentical What is hacking? Why do we hack? Yes, we want

Hack The CPython Batuhan Taskaya @isidentical What is hacking? Why do we hack? Yes, we want FREEDOM! We want to use PEP313! Before we hack, Learn the internals Lexing - Tokenization - Read #define NEWLINE 4 #define INDENT

670 views • 36 slides
Geoffrey Vaughan Lets Hack NFC How does NFC work? How could we hack it? Where

Geoffrey Vaughan Lets Hack NFC How does NFC work? How could we hack it? Where

Geoffrey Vaughan Lets Hack NFC How does NFC work? How could we hack it? Where are the weaknesses? What are the security implications? Security Compass and NFC Currently we are devoting a lot of energy towards NFC

704 views • 35 slides
Unique design Formerly the Great Eastern Hotel, Andaz London Liverpool Street is housed in a

Unique design Formerly the Great Eastern Hotel, Andaz London Liverpool Street is housed in a

Unique design Formerly the Great Eastern Hotel, Andaz London Liverpool Street is housed in a beautiful redbrick building dating back to 1884 a 21 st century masterpiece with a seamless blend of traditional and contemporary features throughout.

289 views • 9 slides
ART SLIDES: VAN GOGH EDITION HACK.|100% WORKING!|NEW METHOD|HACK TOOL. Free Buy 30 coins Nearly

ART SLIDES: VAN GOGH EDITION HACK.|100% WORKING!|NEW METHOD|HACK TOOL. Free Buy 30 coins Nearly

ART SLIDES: VAN GOGH EDITION HACK.|100% WORKING!|NEW METHOD|HACK TOOL. Free Buy 30 coins Nearly 1, Paintings and Drawings by Vincent van Gogh Digitized and Put Online | Hacker News For people who don't live close to huge cities with big

269 views • 3 slides
SSA Introduction Sebastian Hack hack@cs.uni-saarland.de Compiler Construction 2013 saarland

SSA Introduction Sebastian Hack hack@cs.uni-saarland.de Compiler Construction 2013 saarland

SSA Introduction Sebastian Hack hack@cs.uni-saarland.de Compiler Construction 2013 saarland university computer science 1 Another kind of CFGs p D ( ) x e x e D ( ) q Effects on edges. Nodes called Nodes are

310 views • 19 slides
FC2015 RSDYK Dyke quality assessment by remote sensing Robert Hack Robert Hack 14-Apr-09 1

FC2015 RSDYK Dyke quality assessment by remote sensing Robert Hack Robert Hack 14-Apr-09 1

FC2015 RSDYK Dyke quality assessment by remote sensing Robert Hack Robert Hack 14-Apr-09 1 FC2015-RSDYK - Hack Pilot project: RSDYK2008 Trial to establish whether remote sensing in combination with geological knowledge can be used for

826 views • 10 slides
GREAT YEAR FOR ROSEWOOD GOLF CLUB LADIES A lovely lunch at the Marburg Hotel in late November

GREAT YEAR FOR ROSEWOOD GOLF CLUB LADIES A lovely lunch at the Marburg Hotel in late November

GREAT YEAR FOR ROSEWOOD GOLF CLUB LADIES A lovely lunch at the Marburg Hotel in late November followed the Rosewood Golf Club Ladies AGM and trophy presentations for midweek events. It was great to see so many ladies (past and present members)

470 views • 10 slides
Code Generation: Intro Sebastian Hack hack@cs.uni-saarland.de Compiler Construction 2017

Code Generation: Intro Sebastian Hack hack@cs.uni-saarland.de Compiler Construction 2017

Code Generation: Intro Sebastian Hack hack@cs.uni-saarland.de Compiler Construction 2017 Saarland University, Computer Science 1 Code Generation Consists (roughly) of three parts: 1. Instruction Selection Select processor instructions for

282 views • 9 slides
SLIPPERY SLIDES HACK and CHEATS.|100% WORKING!|NEW METHOD|HACK TOOL. Free No Ads 7 Hacks To Make

SLIPPERY SLIDES HACK and CHEATS.|100% WORKING!|NEW METHOD|HACK TOOL. Free No Ads 7 Hacks To Make

SLIPPERY SLIDES HACK and CHEATS.|100% WORKING!|NEW METHOD|HACK TOOL. Free No Ads 7 Hacks To Make Your Boots Slip-Proof May 18, Attach your Water hose. Wet your slide, this just helps for the first few slides. Once the kids get going, their

308 views • 3 slides
Global Value Numbering Sebastian Hack hack@cs.uni-saarland.de 17. Dezember 2013 saarland

Global Value Numbering Sebastian Hack hack@cs.uni-saarland.de 17. Dezember 2013 saarland

Global Value Numbering Sebastian Hack hack@cs.uni-saarland.de 17. Dezember 2013 saarland university computer science 1 Value Numbering a := 2 a := 3 x := a + 1 x := a + 1 y := a + 1 Replace second computation of a + 1 with a copy from x 2

223 views • 20 slides
Global Value Numbering Sebastian Hack hack@cs.uni-saarland.de 5. Dezember 2017 Saarland

Global Value Numbering Sebastian Hack hack@cs.uni-saarland.de 5. Dezember 2017 Saarland

Global Value Numbering Sebastian Hack hack@cs.uni-saarland.de 5. Dezember 2017 Saarland University, Computer Science 1 Value Numbering a := 2 a := 3 x := a + 1 x := a + 1 y := a + 1 Replace second computation of a + 1 with a copy

394 views • 22 slides
Great Eagle Holdings Investor Presentation Q1 2017 1 Great Eagle Holdings Limited Background A

Great Eagle Holdings Investor Presentation Q1 2017 1 Great Eagle Holdings Limited Background A

Great Eagle Holdings Investor Presentation Q1 2017 1 Great Eagle Holdings Limited Background A Leading Property and Hotel Company with Prime Assets in Global Gateway Cities Long operating and listing history - Founded in 1963 and listed since

838 views • 45 slides
Great Eagle Holdings Investor Presentation Q1 2020 1 Great Eagle Holdings Limited Background A

Great Eagle Holdings Investor Presentation Q1 2020 1 Great Eagle Holdings Limited Background A

Great Eagle Holdings Investor Presentation Q1 2020 1 Great Eagle Holdings Limited Background A Leading Property and Hotel Company with Prime Assets in Global Gateway Cities Long operating and listing history Founded in 1963 and listed

308 views • 28 slides
Great Eagle Holdings Investor Presentation Q3 2018 1 Great Eagle Holdings Limited Background A

Great Eagle Holdings Investor Presentation Q3 2018 1 Great Eagle Holdings Limited Background A

Great Eagle Holdings Investor Presentation Q3 2018 1 Great Eagle Holdings Limited Background A Leading Property and Hotel Company with Prime Assets in Global Gateway Cities Long operating and listing history - Founded in 1963 and listed since

505 views • 31 slides
Great Eagle Holdings Investor Presentation Q3 2017 1 Great Eagle Holdings Limited Background A

Great Eagle Holdings Investor Presentation Q3 2017 1 Great Eagle Holdings Limited Background A

Great Eagle Holdings Investor Presentation Q3 2017 1 Great Eagle Holdings Limited Background A Leading Property and Hotel Company with Prime Assets in Global Gateway Cities Long operating and listing history -

619 views • 31 slides
The Premise: Hack in Paris, 2015 I may be right on some stuff. Probably wrong on other bits.

The Premise: Hack in Paris, 2015 I may be right on some stuff. Probably wrong on other bits.

The Premise: Hack in Paris, 2015 I may be right on some stuff. Probably wrong on other bits. Analogue is meant to help people think differently. This is the Hack in Paris 2015 version, and is subject to all sorts of changes as the

963 views • 80 slides
Sebastian Hack, Christian Hammer, Jan Reineke Saarland University Static Program Analysis

Sebastian Hack, Christian Hammer, Jan Reineke Saarland University Static Program Analysis

Sebastian Hack, Christian Hammer, Jan Reineke Saarland University Static Program Analysis Introduction Winter Semester 2014 Slides based on: H. Seidl, R. Wilhelm, S. Hack: Compiler Design, Volume 3, Analysis and Transformation, Springer

616 views • 27 slides
Sofitel Abidjan Hotel Ivoire SOFITEL ABIDJAN HOTEL IVOIRE The Sofitel Abidjan Hotel Ivoire is the

Sofitel Abidjan Hotel Ivoire SOFITEL ABIDJAN HOTEL IVOIRE The Sofitel Abidjan Hotel Ivoire is the

Sofitel Abidjan Hotel Ivoire SOFITEL ABIDJAN HOTEL IVOIRE The Sofitel Abidjan Hotel Ivoire is the reference of luxury nested in the most luxurious and secure district of Abidjan (Cocody). The Hotel is ideally located at few minutes from the

239 views • 6 slides
Report from DAQ Simulations Hack Days Georgia Karagiorgi & Michael Baird Nov. 9, 2016

Report from DAQ Simulations Hack Days Georgia Karagiorgi & Michael Baird Nov. 9, 2016

Report from DAQ Simulations Hack Days Georgia Karagiorgi & Michael Baird Nov. 9, 2016 Organized by the DUNE DAQ Simulations Task Force [https://cdcvs.fnal.gov/redmine/projects/dune/wiki/DAQ_Simulations] Hack Days indico page, with links to

520 views • 12 slides
HOTEL PRESENTATION HOTEL LOCATION Novotel Bangkok Platinum Pratunam is a 288-room, international

HOTEL PRESENTATION HOTEL LOCATION Novotel Bangkok Platinum Pratunam is a 288-room, international

HOTEL PRESENTATION HOTEL LOCATION Novotel Bangkok Platinum Pratunam is a 288-room, international 4-star hotel in the heart of the shopping district. With its city centre location, the hotel offers easy access to Bangkoks main cultural

278 views • 26 slides
New Ways Im Going to Hack Your Web App Rich Lundeen,

New Ways Im Going to Hack Your Web App Rich Lundeen,

New Ways Im Going to Hack Your Web App Rich Lundeen, Jesse Ou, Travis Rhodes MicrosoE Boss Engineering Security Team & Office 365 Pen Test

1.28k views • 103 slides
THE FERN - AN ECOTEL HOTEL, JAIPUR Hotel opening year- 2008 Number of Rooms- 85 Hotel Board line

THE FERN - AN ECOTEL HOTEL, JAIPUR Hotel opening year- 2008 Number of Rooms- 85 Hotel Board line

THE FERN - AN ECOTEL HOTEL, JAIPUR Hotel opening year- 2008 Number of Rooms- 85 Hotel Board line number- +91 141 4121212 Emergency Number - 0 Hotel Address 3, Airport Plaza, Tonk Road, Durgpura, Jaipur - 302 018, Rajasthan, INDIA Ro Room

316 views • 18 slides
Hack the Derivative! Erik Taubeneck Software Engineer October 20th, 2015 American University

Hack the Derivative! Erik Taubeneck Software Engineer October 20th, 2015 American University

The Derivative Finite Difference Floating Point Arithmetic Complex Analysis Crash Course Hack the Derivative Hack the Derivative! Erik Taubeneck Software Engineer October 20th, 2015 American University Math/Stat Dept Colloquium The

1.39k views • 106 slides

More recommend