Security researcher Kya Supa was staying at a capsule hotel in Japan while on vacation and had a noisy neighbor.
Every day at around 2 a.m., the neighbor would be on the phone making a loud call. Supa politely asked the neighbor to not be so loud, but the neighbor didn't listen. What happened next was the subject of Supa's session at the Black Hat US 2021 hybrid event, where he detailed how he was able to hack the hotel's system to get back at his noisy neighbor, whom he referred to as Bob.
"Some people just don't take anything seriously," Supa said about Bob. "So I thought it would be nice if I could take control of his room and make him have a lovely night."
How the Capsule Hotel Was Hacked
The capsule hotel that Supa was staying at was highly automated. Each room had an iPad that enabled control of the small room's amenities, including lights, fan and an adjustable bed that could be converted into a sofa.
After inspecting the room, Supa also discovered that each room had a pair of Internet of Things (IoT) gateway control devices from Japanese vendor Nasnos, which controlled the room's operations. The iPad that connected to the Nasnos devices was locked down in what Apple refers to as Guided Access, which restricts access to only one application.
While Guided Access initially would not allow Supa to access other features on the iPad, he figured out an easy way to get around that. Simply by letting the iPad run out of power and then rebooting, he was able to bypass Guided Access and get full control of the device.
Using scanning tools, Supa was able to discover the Nasnos access point and realized that it was secured with the insecure WEP protocol. Adding further insult to injury, Supa discovered that the gateway devices that were controlling the IoT devices in each capsule room were using a default password of—1,2,3,4,5.
By observing the data traffic in his own room as he turned the lights on and off and adjusted his bed, Supa was able to figure out how to control everything using his own laptop. After some additional investigation, Supa was also able to figure out how to gain access to specific routers in specific rooms. With that knowledge, he could control the functions of another guest's room—like his noisy neighbor, Bob.
Simply turning the lights on and off in Bob's room wasn't enough for Supa though; he wanted to do something more disrupting. What Supa ended up doing was writing a script that ran every two hours that would turn the lights on and off, while collapsing the bed into a sofa.
"I'm sure he had a wonderful night," Supa said about Bob. "I hope he'll be more respectful of his neighbors in the future."
Supa noted that he disclosed all the security issues he found to the hotel, after he had messed with Bob, and that the issues have since been remediated by the hotel.