Hackers Hold Entire Hotel for Ransom, Trap Guests in Rooms

Name
Email
Subject
Comment *
File	Select/drop/paste files here
* = required field	[▶ Show post options & limits] Confused? See the FAQ.

Flag
Embed	(replaces files and can be used instead)
Options	Do not bump (you can also write sage in the email field) Spoiler images (this replaces the thumbnails of your images with question marks)
Password	(For file and post deletion.)
Allowed file types:jpg, jpeg, gif, png, webm, mp4, swf, pdf Max filesize is 12 MB. Max image dimensions are 10000 x 10000. You may upload 5 per post.

File: be55fb3d9ee2e1c⋯.gif (606.57 KB, 800x792, 100:99, giphy.gif)

Hackers Hold Entire Hotel for Ransom, Trap Guests in Rooms User 01/30/17 (Mon) 07:46:22 No.45541

>A luxury hotel in Austria found itself in a bizarre hostage situation recently when hackers managed to access its electronic key system and lock all the hotel guests in their rooms until the hotel agreed to pay a ransom to get its systems back.

>According to The Local, the cyber lock-in happened on the first day of the winter season at the Romantik Seehotel Jaegerwirt, a 111-year-old, four-star luxury hotel that has a pool, lake views, and a state-of-the-art electronic key system that turned out to be something hackers could exploit.

>On the first day of the winter season this year, hackers accessed the hotel’s IT system and shut down everything, including all the reservation info and the hotel’s electronic key system. Approximately 180 people were staying at the hotel that day, and many of them were locked in their rooms, while others were locked out of theirs.

>The hackers wanted 1,500 euros in Bitcoin to release the hotel’s system, and the hotel decided to pay.

>"The house was totally booked with 180 guests, we had no other choice. Neither police nor insurance help you in this case,” said managing director Christoph Brandstaetter.

>After the hackers were paid, the system went back to working as it was supposed to. But Brandstaetter says the hotel is planning on replacing the hotel’s door locks with old-fashioned ones with real keys.

User 01/30/17 (Mon) 07:53:29 No.45542

File: f8b073c4f528523⋯.webm (303.96 KB, 640x480, 4:3, !!PANIC!!.webm)

>>45541

>The hackers wanted 1,500 euros in Bitcoin to release the hotel’s system, and the hotel decided to pay.

User 01/30/17 (Mon) 09:29:08 No.45544

>>45541

> state-of-the-art electronic key system

Well, judging by how effective it was, I reckon it was something built in Java by a sub-sub-subcontracted outsourced team in India through Upwork.

Btw, this should go into the "cyberpunk ways to make money" thread, OP.

User 01/30/17 (Mon) 18:24:59 No.45549

File: a0bf277cd4adc62⋯.jpg (446.09 KB, 768x500, 192:125, Advanced_Persistent_Threat.jpg)

>>45544

typical viewpoint.

but the fact of the matter is regardless of architecture, service, or encoding… put it on the internet and someone's gonna own it.

it's true most device manufacture's are still using a nineteen hundreds and nineties "physical access" threat model. but even top tier secure technologies get cracked.

User 01/30/17 (Mon) 23:18:26 No.45557

I'm baffled by the fact that there is no way to physically unlock the doors from the inside. Isn't that a serious fire hazard?

User 01/31/17 (Tue) 03:47:44 No.45559

>>45557

An excellent point. I'm even more curious about their setup now.

User 01/31/17 (Tue) 03:54:22 No.45560

They seriously only wanted 1500 euros for ransom?

User 01/31/17 (Tue) 04:02:45 No.45561

>>45560

Trying to collect relatively small amounts from a luxury service provider is actually a pretty smart approach. The attack is probably re-usable against other targets, and the target's management is more likely to cave quickly if the brouzouf they lose is outweighed by even mildly bad PR from their wealthy clients.

User 01/31/17 (Tue) 07:31:50 No.45562

>>45549

> put it on the internet and someone's gonna own it.

I agree with you - but I think that if you raise the cost of owning something by boosting it's security, then you'll get pwned less often.

As you say, most mfg's just use some horrible development process stuck in the 90's (default root password, open ports, logic errors in the permissions script, no updates ever) - but fixing those things isn't really that costly, especially since the security of the product is kinda your responsibility and not "gosh darn it, those hacker kids got me again!".

User 01/31/17 (Tue) 12:45:49 No.45567

>>45559

The original story wasn't in English and it's been mistranslated. Guests weren't locked in, they were locked out. Pretty effective really - they'd end up hanging around the lobby, harrassing staff and pressuring them into paying the ransom.

User 01/31/17 (Tue) 20:59:47 No.45574

>>45567

Damn that's so much smarter.

User 02/04/17 (Sat) 04:43:43 No.45623

>>45574

and more effective– being able to trap guests inside their rooms would trigger safety regs like a motherfucker, that shit wouldn't fly long enough to be exploited more than once.

User 02/05/17 (Sun) 02:50:00 No.45630

>>45544

>>45549

I don't know how something being built in Java is bad or less secure (hint: it's much better than ancient langs and meme langs). However I would say you're wrong on the point of "someone's gonna own it.", it's extremely easy to avoid this, don't make it connected to the fucking internet. Alternatively build it was some notion of security in mind. Most hacking is done because there is little to no security on 90% of the world's systems. There is often little incentive for it because it's extremely unlikely they'll be hacked or exploited in some way.

User 02/05/17 (Sun) 07:40:09 No.45635

The "internet of things" is retarded. There's no reason to add networking capabilities to devices that don't need them (e.g. fucking door locks)

User 02/05/17 (Sun) 23:27:28 No.45643

>>45635

Computer-controlled appliances that aren't connected to the greater internet are a great idea. What we're seeing though is people so excited for the potential benefits of going online such that they ignore, and don't even try to mitigate, the inherent risks.

User 02/06/17 (Mon) 07:01:47 No.45645

File: 89c868ea18bdf2f⋯.mp4 (4.45 MB, 640x360, 16:9, THE_FUTURE_IS_NOW.mp4)

>>45643

I'm still weary about that. It depends on how your appliances are networked and what you use to access them, but I can't really see a way of centralizing control over your house's electronics and appliances without also making these systems vulnerable.

Are they all controlled through, say, an app on your phone? At that point all an attacker has to do is control your cell (which most governments are capable of doing already) and they control every major electronic in your house.

The same would be true if it was all controlled from your personal computer. Imagine opening an e-mail attachment and getting a virus that doesn't do shit to your personal data, but causes your home-control software to turn off your refrigerator, permanently engage the locks on your washing machine, and run all of your lights at 100% brightness 24/7. Even though the individual appliances aren't directly compromised, your control system is.

To really secure the system, it would need to be controlled through a single, unique remote control unit, but even then it couldn't be wireless if you wanted complete security (somebody could drive up across the street and duplicate the signal).

Your only option would be a hardwired, standalone, air-gapped network. At that point the only remaining attack vector would be something like what Stuxnet did: try to sneak in a compromised firmware update to feed an attacker's commands to the system. No criminal is going to go through that kind of effort.

This is why I don't like the concept of systems such as those in vid related - they sell themselves on convenience, but they're nothing more than giant potential computerized security flaws that you are introducing to your house.

User 02/06/17 (Mon) 07:56:19 No.45646

>>45630

Yeah, I was just surfing that lang meme. Alternatives were: php, javascript, html.

User 02/07/17 (Tue) 02:33:10 No.45657

File: a45ac0dfeaafbea⋯.jpg (54.89 KB, 755x575, 151:115, KI2TSeason34VoiceBox.jpg)

>>45645

>permanently engage the locks on your washing machine

I would rather see someone hacking into a Miele with WaterProof-System, disable the overflow and hose burst protection and causing a flood by opening the valves and letting the machine overflow.

Thank fuck my Askos have a redunant mechanical anti-overflow: it's called dual water level switches.

That being said, if that waifubot of yours was pic related, it would be fucking BASED. Don't touch Turbo Boost. Something tells me you shouldn't touch Turbo Boost.

User 02/07/17 (Tue) 11:16:43 No.45664

>>45630

Java is not much better than ancient langs and meme langs, as ancient langs and meme langs usually perform better and have more obvious logic. Object Oriented Procedural Programming for anything security related is generally a worse idea than using Functional Programming, since with Procedural you have to deal with plenty of side effects and interference between two people doing things at the same time, and with OOP, multiple layers of abstraction and a system designed to keep you from thinking about how everything works together.

OOP's advantage is that it makes teamwork easier, and the things you do to make teamwork easier make security harder.

Java is a shit language on it's own, and Java programmers are usually horrible at doing their job, but that's another discussion for another time that doesn't pertain to security.

Your solution, disconnecting it from the internet, was addressed in his initial post.

>>45646

>HTML for developing a door security system

wow you're so smart queen :)

>PHP

>Ever

There is absolutely no reason to use a language designed as an over-complicated template engine for anything anymore. You shouldn't have to use a fucking external database for a god damn integer counter between two users. There is no reason to use PHP for anything other than things being written in PHP already, and that's just because PHP is usually used in a way where it can't be transpiled into a working application in another language easily.

User 02/07/17 (Tue) 11:20:39 No.45665

>>45645

>get access to user's personal cellphone or computer

>"lol I'm gonna just be kind of annoying instead of committing identity theft"

On what planet? If my phone or computer are compromised to the extent that applications can be given arbitrary remote commands, the last thing I give a shit about is my lights being too bright.

User 02/07/17 (Tue) 17:29:33 No.45670

the story in the OP was shown to be fake long before he posted it.

people were locked out, not in.

weird that people are posting here again, what happened to the FBI or whoever destroyed /cyber/ a few months ago?

did they just become more subtle or did they get removed from their positions?

User 02/08/17 (Wed) 06:38:24 No.45686

>>45665

You're thinking about this too narrowly. Imagine ransomware moving out of just kidnapping people's data, and instead moving into kidnapping their homes: "Pay me 1 BTC or I'll brick every networked appliance in your house."

User 02/09/17 (Thu) 01:33:20 No.45698

>>45686

>"Pay me 1 BTC or I'll brick every networked appliance in your house."

"In a world, without home insurance, hackers use every weapon in their arsenal to make your fridge fuck up."

It'd probably be cheaper to just have a repairman replace the internal storage of your appliances than it would be to pay a hacker enough brouzouf to entice them into hacking your appliances.

If you can brick an appliance from it's control app though, that'd be the issue, not the fact that it has an app.

Someone compromises my phone, I'm going to worry about my home appliances last. I could get a hotel room while I wait for the FBI to fix my shit.

User 02/11/17 (Sat) 08:09:39 No.45740

>>45698

Just like it would have been cheaper for that hotel to call a repairman to fix all the locks in their building instead of paying 1500EUR in BTC?

I have had enough experience with automated systems and security professionals to know that hooking shit up to a network for no reason is a dumb idea.

>Someone compromises my phone, I'm going to worry about my home appliances last. I could get a hotel room while I wait for the FBI to fix my shit.

You could also just stay in your own home and learn to use a manual lightswitch like a normal human being, if all your shit wasn't automated. You also wouldn't have to file home insurance claims, or pay extra for the cyberattack coverage.

User 04/20/17 (Thu) 20:14:25 No.46437

Anheuser-Busch InBev : Alcohol

Revenue $45.52 billion (2016)

Eli Lilly : Pharmaceutical Drugs

Revenue $21.221 billion (2016)

Philip Morris International: Tobacco

Revenue $80.106 billion (2014)

Pfizer : Pharmaceutical Drugs

Revenue $52.82 billion (2016)

Shell Oil Company

Revenue: $37.376 billion (2013/2016)

British Petroleum

Revenue: $183.0 billion (2016)

User 04/20/17 (Thu) 22:49:31 No.46439

>>45630

But User, Java is an ancient meme lang.

User 04/23/17 (Sun) 14:12:03 No.46471

>>45740

>Doing shit manually

You're nuts

How am I supposed to live without having machines do everything for me

User 04/25/17 (Tue) 00:55:59 No.46486

>>46471

yea man I couldn't get laid otherwise

User 05/04/17 (Thu) 06:02:51 No.46591

>>45686

>"Pay me 1 BTC or I'll brick every networked appliance in your house."

>Real life is becoming megaman battle network