Hacking a Capsule Hotel - Ghost in the Bedrooms

Conference:  BlackHat USA 2021



The presentation discusses the exploitation of a hotel's Wi-Fi network and mobile device management solution to gain control of all the bedrooms. The main focus is on obtaining the key of the national network and bypassing the gated access protection on an iPod Touch.
  • The speaker discovered that the national network's SSID and key were generated by NAS notes by default, making all NAS notes CES 8700 routers vulnerable to attack.
  • The gated access protection on an iPod Touch can be bypassed by draining the battery and rebooting the device.
  • The speaker used a sample JavaScript code to force the iPod Touch to generate a lot of data and capture packets in monitor mode.
  • The web protocol used by the national network is insecure and can be exploited to retrieve the web key.
  • The hotel was cooperative in addressing the security issues and took them seriously.
The speaker created a script that transformed all the towers in a bedroom into a sofa and back, and turned the lights on and off, to create a memorable night for the guest. However, the script was lost at midnight and the speaker was unsure if the guest had a good night. The speaker also contacted both the nationals and the hotel to report the vulnerabilities found.


IOT devices are widely deployed. Some hotels are now allowing their guests to control their room from their smartphone or other devices.While traveling in a foreign country, a few nights were booked in a capsule hotel that was using various modern technologies. Capsule hotels are hotels composed of extremely small rooms that are stacked side-by-side.In this hotel, an iPod touch given at check-in allowed each customer to control their bedroom. It was possible to control the light, change the position of the adjustable bed and control the ventilation fan.In this presentation, we will share the methodology used to bypass the present security protections and we will show in detail how six different vulnerabilities were combined together and exploited in order to take control of all bedrooms and get revenge on a loud neighbor.A demo video will be presented.



Post a comment

Related work

Conference:  Defcon 31
Authors: Christian “quaddi” Dameff MD Physician & Medical Director of Cyber Security at The University of California San Diego, Jacqueline Burgette, DMD, PhD White House Fellow in The Office of National Cyber Director (ONCD), Jeff “r3plicant” Tully MD Anesthesiologist at The University of California San Diego, Nitin Natarajan Deputy Director for the Cybersecurity and Infrastructure Security Agency (CISA), Senator Mark Warner Virginia Senator and Chair of the US Cybersecurity Caucus, Suzanne Schwartz MD Director of the Office of Strategic Partnerships and Technology Innovation (FDA)

Authors: Christian Weichel, Manuel de Brito Fontes