ITB Hospitality Day 2015 revealed how to crack codes and webcams
 |
| Live Hacking at the ITB Hospitality Day 2015: Security expert Stefan Hoelzner (standing) and his colleague Dr Florian Kohlar, cryptographer, demonstrate how to direct foreign webcams via web. |
Berlin (March 13, 2015). Google is an excellent assistant when it comes to illegally hacking other IT systems. Webcams can easily be used to observe and eavesdrop. And filtering the right password is often only a matter of time for the experienced hacker. The consequences of the widespread negligence in handling customer data were dramatically illustrated at the 10th ITB Hospitality Day at the ITB Berlin last week, live in front of an interested audience. "Check out - Hack in" was the title of the 'live hack' at the beginning of the conference. See it for yourself!
"We are the goodies, but know the dark side," Stefan Hoelzner said, Senior Manager KPMG Security Consulting based in Essen. The company simulates hacker attacks on companies on behalf of customers/companies. Dr Florian Kohlar, Assistant Manager and experienced cryptographer, demonstrates the flipside of digitalisation, also for the hotel industry.
"An SQL injection is less technical than it sounds," Kohlar says. For instance, Web Shop: The line appears "Show me all gift articles from 2012, 2013, 2014." The hacker changes this to "Show me all customer data from 2012, 2013, 2014." And already, a path has been created to begin the further search.
 |
|
| Dr Florian Kohlar: Mostly, hacker simply start "playing" around... |
Each web shop has a search field which mostly works in the background with similar combinations of letters. Instead of submitting a search, hackers simply enter a common combination of letters with the word "room". From the source code response, they can see what letter combinations are used to filter out customer mail addresses for a certain period. "If in the shop itemdb works for products, then userdb often also works for customer data," Kohlar demonstrated using a mock-up web shop (in this case, he didn't necessarily want to hack into a real company live at the ITB).
Passwords? Piece of cake
In the hotel industry, reservation processes, other shop functions as well as guest books are all simple ways to weasel one's way into systems with weak security protection. Although passwords are generally used as a security wall, many passwords are quickly reconstructed with decipher programmes. Generally all is required is to identify a single password from a list. In front of an audience, speakers cracked 13 of 22 codes in a matter of seconds. Further passwords would then follow in the next few minutes, the rest are then more difficult for the programme, if at all possible, speakers explained. "Password security is very much neglected," experts know. The ten most popular passwords are used in around 2.5 percent of all cases! A perfect start for professional hackers! On a list of 1,000 customer passwords, at least one is then certain to be "123456" (0.6% of all passwords worldwide). The second most popular password is the word "password".
At the ITB Hospitality Day it was also explained how the Google search engine could be used to identity vulnerable sites (using the search term "inurl:/..."). Or you focus directly on sites used by large corporations such as SAP. "Documentation compiled by SAP also contains certain basic passwords which can help," Hoelzner adds.
 |
|
| The ten most popular passwords are used in around 2.5 percent of all cases. |
Warning webcams!
A further problem area in terms of data security is the webcam. Not only are they now used to monitor the beach front, but also increasingly to check building entrances. Search engines can also be used to find large video-conference providers and cameras from hotel seminar rooms can be identified. These can then be controlled through the internet. A flipchart came into the picture, a number easily legible on a piece of paper. Apparently, cameras are so good at zooming in, that often documents laid out on a desk can be read.
Those present in the room though have no indication that somewhere else in the world, there's somebody else sitting with them at the conference table. No red blinking light gives the external guests away. And: Anyone can listen in to conversations in the room through the microphones incorporated in the cameras. For some webcams, the IP address must be known, but most can be found using a search engine which finds companies which boast with Voice-over-iP telephones, Internet-controlled refrigerators and control systems for wind power on the hotel roof. "Anyone installing a webcam in the hotel should read the operating instructions," Hoelzner warned.
Simply redirecting logins
Hackers easily gained control of a railway station elevator, held the elevator motionless and could see (and hear) through the webcam how those inside the elevator behaved. In everyday business, it's a matter of more concrete attacks. Anyone placing ten infected USB sticks in a company at various locations can be certain that two of them will be used. And already, a Trojan has been introduced to the system. The USB acts like an external keyboard. All passwords are recorded.
 |
|
| Stefan Hoelzner: Whoever installs webcams should read terms & conditions before. |
In particular, one shouldn't always trust WiFi networks as secure. "Over 20 people here in the room are currently logged on via telekom_ICE," the KMPG expert stated at the end of the presentation. "But you aren't in an ICE". The professional hackers had simply created this site. Because smartphones automatically trust open networks which have been used previously, they automatically logged into the ICE site instead of Free WiFi at the ITB. In truth, a KPMG website was behind the site. "All data were transferred through our systems, we could have read what you were saying," Hoelzner warns, demonstrating the risks of unencrypted internet connections.
Only a few experts attribute a market value to guest data held by hotels over and above the actual value of the hotel. Yet data mining or big data is still in the early stages in the private hotel industry. If the recent survey by TripAdvisor "Empowering Independent Hotels" is anything to go by, this won't change much: Investments in better CRM databases are considered pointless by operators. Many private hotels use their data material for general broadcast or at best for birthday wishes. Though nobody is immune from the risks - even if hacker interests tend to be focussed on the international chains.
As if to confirm the point, Mandarin Oriental Hotels recently confirmed that hackers had found their way into certain hotel systems in the US and Europe recently and acquired guest credit card data using malware. Pin codes though, are not thought to have been cracked. The programme has been identified and removed from all systems. However, Mandarin Oriental saw it as its duty to inform the entire industry of the cyber attacks, the company stated. After all, it can happen to anybody. / Fred Fettner
You will find the YouTube video about this panel in full length under this direct link or at www.itb-convention.com !
Continuative Links:
- April 10, 2014 Hotel industry out of touch-10th ITB Hospitality Day: 2015 The Sharing Economy wave making everyone sweat
- March 27, 2015 Continual reinventions-10th ITB Hospitality Day: Lifestyle communication with budget and luxury
- March 27, 2015 Digitised and still human-10th ITB Hospitality Day: IT and emotions create new hotel concepts
- March 20, 2015 The dark side of hotel distribution-ITB Hospitality Day 2015: Only a minority believes in own distribution power
- April 4, 2014 It's no longer James Bond: ITB Hospitality Day 2014: Keynote warns hotel sector about data attacks
To print this article you have to be registered and logged in for newsletter, visitor or subscription.
Print Article