This is not a ghost at all – the reason for the "anomalous" activity was several vulnerabilities in the hotel’s digital automation system.
Travel tip: When staying in a capsule hotel (Japanese-style budget hotel that accommodates guests in tiny interconnecting rooms appropriate for their body size), you should treat your neighbors with respect. Especially if the capsule hotel where you decide to spend the night has an automated digital system, and your neighbor is an advanced hacker.
This advice was shared by an anonymous digital security expert in his presentation on hacking into a capsule hotel’s automated digital system at the Black Hat hacker conference in Las Vegas.
Hacker, who was born in France, asked to be called Kyasupā. He claims to have discovered several vulnerabilities that could be used to hack IoT devices widely used at a capsule hotel he stayed in in 2019. The vulnerabilities gave him the ability to gain access to control any room in the hotel to turn on or off the lights, ventilation, and even change the position of the beds (turning them into a sofa). The options that had the vulnerabilities were designed to control the network systems (connected to the iPod Touch) that each guest was given access to upon check-in.
“When I saw the list of available features, I realized that it looks pretty cool – if I can hack the system, I will potentially control all the bedrooms of the hotel, which is a lot of fun," Kyasupā commented on the incident before his Black Hat speech. “Ultimately, I found a total of 6 vulnerabilities that allowed me to create an exploit that allows me to control devices in all bedrooms right from my laptop.”
Kyasupā showed the aftermath of the hotel system hack in a video showing him using a special script on his laptop to turn the lights on and off in the capsule hotel’s three bedrooms. He also transforms the bed into a sofa and after that returns everything to its place, and also turns the ventilation in the room on and off.
In addition to exploiting the results of a system hack right on video filmed near the end of his stay without the hotel’s permission, he says he also used vulnerabilities and control over other people’s pods to get back at another guest who kept him awake at night with his loud chatter. He used a script that turned on the lights in the victim’s room every two hours and repeatedly transformed his bed into a sofa in the middle of the night. “I take my sleep very seriously, especially on vacation days,” says Kyasupā, who works as a consultant for security firm LETOP. "He woke me up several times: now it’s my turn to wake him up."
To view this video please enable JavaScript, and consider upgrading to a web browser that
Given the fact that Kyasupā does not reveal his real name, the name of the hotel, or the name of his victim, we cannot independently verify his story of revenge on a noisy neighbor. All that is known for certain is that he discovered and demonstrated real security vulnerabilities in devices connected to the hotel’s automated system.
Kyasupā claims that his experience should be a huge warning regarding IoT devices. The hotel’s Nasnos CS8700 router is used by many guests, potentially leaving them vulnerable to this type of interference.
Kyasupā also wondered if he could hack his iPod Touch after it was given to him at check-in, but he didn’t want to spend his vacation time developing a special reverse system. The hacker had an instant change of heart after a noisy neighbor kept him awake for several nights in a row. "I thought it would be nice if I could control the devices and objects in his room and give him a ‘wonderful night,’" says Kyasupā. “That’s how I started to analyze how the hotel’s digital system works.”
The hotel’s iPods used as remotes were limited by a feature called " Guided Access " that prevented users from leaving the Nasnos remote control app. However, Kyasupā knew that it was possible to drain the battery of the device and reboot it to gain full access – this is a fairly well-known workaround when using "Guided Access". On top of that, every iPod didn’t even have a screen unlock PIN set. Kyasupā also noticed that his iPod connected via Wi-Fi to a Nasnos router—each room seemed to have its own router. He, in turn, connected to other digital devices in the capsule, such as lights, ventilation, and a bed.
In order to intercept commands from the iPod app to the Nasnos router, Kyasupā knew he would need to get the password to access the router. Notably, he found that Nasnos routers defaulted to WEP encryption, a Wi-Fi security system that had been hackable for decades. “Using WEP encryption in 2019 is crazy,” says the hacker. Using the Aircrack NG program, he used a brute force attack to get the router password and connect to it from his laptop. Then he used his Android phoneas a Wi-Fi hotspot to connect to your iPod and forward its commands through your laptop. In the end, his laptop was connected to a Nasnos router via Wi-Fi and used it as an intermediary to eavesdrop on all communications between the iPod and the router.
Kyasupā has tested all the functions of the application (turning the light on and off, transforming the sofa into a bed) while recording the data packets sent for each of the options. Because the Nasnos app didn’t use any actual authentication or encryption when communicating with the router (other than WEP), he was able to connect to his room from his laptop and play those commands to bring about the same changes inside it.
Kyasupā still had the task of figuring out how to connect to the routers in the other rooms. However, then, according to the hacker, he left the hotel to visit a neighboring city, and returned only a few days later, but he was given a different room. When he cracked the password for the new room’s router in the same way, he found that it only had four characters different from the first. The lack of randomization in setting the passphrase made it easy for Kyasupā to brute force the passwords of other rooms in the capsule hotel.
One day, when the hotel was relatively empty, Kyasupā went to the room of his former roommate who was very noisy (the loud-talking criminal was still in the hotel) and found the router ID and password. He stood outside and checked the ability to turn the lights on and off in his pod to make sure he had the right data. That night, according to the hacker himself, he set up his laptop to run a special script. He says he doesn’t know how his former neighbor ended up feeling: Kyasupā slept through the night and never saw him again. Most likely he moved out. "I’m sure he had a ‘wonderful’ night," the hacker claims. “Personally, I slept like a baby.”
After returning home, Kyasupā sent an email to the hotel management to warn them of the security vulnerabilities. In addition, he also shared his experience with Nasnos, which never answered him. He says the hotel did indeed address the issues he reported to them by switching their Nasnos router to WPA encryption, which would make password cracking much more difficult. Kyasupā warns that anyone using Nasnos devices should similarly check to see if they use WEP encryption. If several of these routers are located in the same building, such as a hotel, you should set a random password for each, which cannot be obtained by revealing the password of another device.
To his noisy neighbor at the capsule hotel, where he says he was testing out options, Kyasupā has only one thing to say: “I hope you will be more respectful of your neighbors in the future. And I hope the ghosts don’t scare you too much."
According to Wired.