Learn how to control every room at a luxury hotel remotely: the dangers of insecure home automation deployment

The St. Regis ShenZhen, a gorgeous luxury hotel occupying the top 28 floors of a 100 story skyscraper, o↵ers guests a unique feature: a room remote control in the form of an iPad2. The iPad2 controls the lighting, temperature, music, do not disturb light, TV, even the blinds and other miscellaneous room actions. However, the deployment of the home automation protocol contained several fatal flaws that allowed an arbitrary attacker to control virtually every appliance in the hotel remotely. I discovered these flaws and, as a result, was able to create the ultimate remote control. The attacker does not even need to be in the hotel he could be in another country. This white paper discusses home automation and the anatomy of the attack: an explanation of reverse engineering of the KNX/IP home automation protocol; a description of the deployment flaws; blueprints on how to create an iPad Trojan to send commands outside the hotel; and, of course, solutions to avoid all these pitfalls in future deployments.