The Great Hotel Hack Adventures in attacking hospitality industry - - PowerPoint PPT Presentation

▶

Feb 06, 2023 202 likes •1.12k views

The Great Hotel Hack Adventures in attacking hospitality industry Etizaz Mohsin https://etizazmohsin.com Disclaimer No hotels were harmed during making of this presentation Do not try this at home! Images Courtesy: ANTlabs & INTSIGHTS

SLIDE 1

The Great Hotel Hack

Adventures in attacking hospitality industry Etizaz Mohsin https://etizazmohsin.com

SLIDE 2

Disclaimer

No hotels were harmed during making of this presentation Do not try this at home!

Images Courtesy: ANTlabs & INTSIGHTS

SLIDE 3

What this talk is not about

SLIDE 4

What this talk is about

Biggest threats are simple not sophisticated

SLIDE 5

Previous Research

SLIDE 6

Agenda

Why Do hackers attack hotel
Attack surface walkthrough
Common attack vectors
Who are threat actors
Notable Data breaches
What led to my research
Demo NSA style hack
Mitigations

SLIDE 7

Security Point Products

Network Security
Endpoint Security
Data Security

SLIDE 8

“Supreme excellence consists in breaking the enemy's resistance without fighting” – Sun Tzu

SLIDE 9

SLIDE 10

Why Do Threat Actors attack Hotel ?

Second largest number of breaches after retail sector
Prominent hotel brands attacked repeatedly
Collect sensitive, valuable and varied data
Manage large number of financial transactions
Uses loyalty programs to encourage repeated visits

SLIDE 11

Hotel attack surface

Large quantity of diverse endpoints
Access to mothership
Lack of employee security awareness
Undefined security responsibilities
High exposure to third parties

SLIDE 12

Attacks on Point of Sale
Spear phishing attacks
WIFI network attack
DDOS and Botnet attacks
Internet of Things attacks
Brand Impersonation
Customer targeted attacks
Ransomware

Attack Vectors

SLIDE 13

Threat Actors

APT28 Fancy Bear

SLIDE 14

Threat Actors

Darkhotel APT

SLIDE 15

Notable Data Breaches

SLIDE 16

Disclaimer Once Again!

SLIDE 17

How did this all start?

SLIDE 18

SLIDE 19

SLIDE 20

Disclosure Timeline

2018-10-31: First vendor notification – immediate response
2018-11-12: Technical details sent to vendor
2018-12-10: Vendor questions feasibility
2018-12-15: Proof of concept sent
2018-12-17: Vendor acknowledges vulnerability
2018-12-20: Vendor discusses update plans
2019-04-01: Vendor assures patching

SLIDE 21

Hmm ??

SLIDE 22

Wi-Fi

SLIDE 23

Captive Portal

Radius
LDAP
Voucher
SMS
PMS
Social Login

Billing Feature

Credit Card
PMS (FIAS)

Management

Web portal
Role based access
DNS server
DHCP
Firewall
Lawful interception

SLIDE 24

Target Selection

SLIDE 25

Attack Surface

SLIDE 26

Get private data
Subscriber’s details, Network configuration, DHCP, DNS, firewall rules
Backup, logs, PMS, Guest details, SSL, SMTP
Set every parameter
DHCP, DNS, WAN, LAN, Route Configuration
Port forwarding, Syslog, SSL
Download
Configuration, database, backup, logs
Upload
Backup, Images

Web Management Portal

SLIDE 27

Web Server

SLIDE 28

SLIDE 29

SLIDE 30

SLIDE 31

SLIDE 32

SLIDE 33

SLIDE 34

TLS Certificates

SLIDE 35

Database

SLIDE 36

Read Write

SLIDE 37

Firewall rules

SLIDE 38

Configuration

SLIDE 39

Guest Details

SLIDE 40

Guest WIFI Configuration

SLIDE 41

Session Riding

SLIDE 42

Plain Text Credentials

SLIDE 43

Enumerating Users

SLIDE 44

SSH

SLIDE 45

System

SLIDE 46

Tools

SLIDE 47

Configuration

SLIDE 48

Owning DNS

HTTP/S Downgrade
Sniff plain text credentials
FakeDNS
WPAD abuse
Hash capture (http_ntlm)
Beef Hooks
Browser autopwn2
Evilgrade
BDFProxy

SLIDE 49

User Reset

SLIDE 50

Management Portal

SLIDE 51

Active Users

SLIDE 52

Mac Addresses

SLIDE 53

User Details

SLIDE 54

DHCP Configuration

SLIDE 55

DNS Configuration

SLIDE 56

DNS Enteries

SLIDE 57

DYNDNS Configration

SLIDE 58

Network Configuration

SLIDE 59

Routes

SLIDE 60

Network Configuration Review

SLIDE 61

Port Forwarding

SLIDE 62

SSL Overview

SLIDE 63

Subnets

SLIDE 64

Interception

SLIDE 65

Firewall rules

SLIDE 66

Logs

SLIDE 67

Guest Details

SLIDE 68

PMS

SLIDE 69

Backup

SLIDE 70

SMTP

SLIDE 71

SLIDE 72

GUESS WHAT ?

SLIDE 73

DEMO

SLIDE 74

SLIDE 75

So, Who is Vulnerable ?

SLIDE 76

Once, we own the main box!

PMS
Corporate network
Electronic door locks
Alarm
HVAC
Guests devices
IOT devices
CCTV
In fact anything connected to the gateway

SLIDE 77

Mitigations for Guests

SLIDE 78

Mitigations for Guests

SLIDE 79

Mitigations for Guests

SLIDE 80

Mitigations for Guests

SLIDE 81

Mitigations for Guests

SLIDE 82

Mitigation for Guests

SLIDE 83

Mitigation for Guests

SLIDE 84

Mitigation for Owners

Train and re-train your staff
It takes one click on wrong link
Train employees on best practices and

common attack vectors

SLIDE 85

Mitigation for Owners

Strengthen your infrastructure
Avoid easy to guess passwords on POS
Use 2FA authentication
Ensure end point protection is up to date
Separate POS network from other
Filter remote access for POS controller
Segment WIFI Networks

SLIDE 86

Mitigation for Owners

Regulate vendors
Ensure vendor meets compliance standard
Regularly assess the risk of their vendors and partners

SLIDE 87

Mitigations for Owners

Threat hunt inside your network
Hackers move around to find valuable data
Monitor network traffic to identify suspicious

activity and discover unauthorized access

SLIDE 88

Mitigations for Owners

Create a incident response plan to

speed up mitigation process.

SLIDE 89

Conclusion

Stay aware while traveling
Use VPN or 4G LTE
Advanced persistent threats are devastating
Biggest threats are simple not sophisticated
No sign that attacks will slow down across any industry

SLIDE 90

Thank You

https://www.linkedin.com/in/aitezaz/