Tuesday, August 02, 2005

Brain-dead hotel security violating your privacy

Today, most hotels use the TV as an interactive computer terminal. The TV can be used to make purchases, check out, pay the bill, purchase movies, purchase video games, and a plethora of other services. They also provide a lot of administrative functionality that guests normally don't know about.

Any network engineer with even an ounce of sense would design such a system with encryption in the set-top boxes and a security server in the back-office.

But they're not designed that way. The network involves no encryption whatsoever, and the TV programming is not scrambled in any way. All of the security exists in the set-top box, and nowhere else.

Which means that any person that brings his own TV tuner (like a USB-based tuner attached to a laptop computer) can tune in on all of the TV programs, including the ones you're supposed to pay extra for. And with a little more work, you can access all of the administrative screens, allowing you to view the accounts for everybody in the hotel, set wakeup calls for anybody in the hotel, and even alter some billing records (like movie purchases and minibar usage.)

In the future, when hotels start adding cameras to the TVs (presumably for allowing video-chat features), you'll be able to tap into that as well if they don't wise up and implement a more effective security model.

No comments: