Configuration Negligence: Who is Responsible?

by lg0p89

A hotel is much like any other business.

The network is present along with the cabling, switches, server, etc.  Another like area is Wi-Fi.  In a business, there would be a guest and an internal Wi-Fi network to connect with.  The distinction is clear in that the guest Wi-Fi is for the convenience of the visitors and the internal is for the staff to conduct business.  The internal Wi-Fi has access to the sensitive portion of the business where authorized persons should be.

As a rule-of-thumb, more cybersecurity would be applied to the internal Wi-Fi and network.  After all, the business would not want unauthorized persons nosing about in their private and confidential area, files, and systems.

What Happened

A security researcher from China visited Singapore and stayed at the Fragrance Hotel in late August 2018.

The researcher was attending the Hack In The Box conference and participated in the Capture The Flag (CTF) competition.

The researcher happens to work at Tencent, which should sound familiar to those involved in red-teaming vehicles.  Being a security researcher, he naturally was curious and began to investigate, using his tech finesse to test the hotel's Wi-Fi.

As the researcher stayed at the hotel, he detected the hotel's Wi-Fi system.  The hotel's Wi-Fi used the ANTLabs' IG 3100 gateway for authentication.  This device happens to have backdoor accounts for Telnet and FTP.

These services have not been an industry standard for literally many, many years.  These services are rather insecure and easy prey for attackers.  On another point, the services had backdoor accounts open, which also is not prudent.  On yet another point, the default login credentials also happened to be publicly published.  These also had not been changed.

Thus, entering the system was very easy with this data.

While in the system, the researcher noted a server was present still running MySQL 4.1.2.  The password happened to be stored in the /etc directory.  The researcher had access to the admin account and had complete control.  The researcher, specifically, was able to monitor the devices on the system, the number of clients logged in, and other data with the system.  The researcher posted this on a blog, which began his issues in earnest.

Breaking the Law

The laws are naturally different for each country, as well as certain laws within each state.

In Singapore, the researcher could have been put in prison for years and received a massive fine.  In this case, compromising the system clearly was against the law, unless authorized.  He did not have permission to do so.  The researcher posting the compromised information added insult to the injury.  The researcher ended up being fined SGD $5,000 (USD $3,500).

In a Different Frame

Indeed, the researcher compromising the system, even without a malicious intent, was not the optimal route.

The researcher should not have been meandering about in this gray area.  Yes, he should have received some form of punishment as negative reinforcement for his acts.

On the other side, the hotel, however, should accept a good portion of the blame and responsibility.  The hotel did not act even remotely in a reasonably prudent manner.  The password treatment and using Telnet/FTP were shameful at best.

This is analogous to a tort law (attractive nuisance) in the United States.

If you happen to own a pool, for example, in the U.S. under common law, you should not just have this in the open without any form of barrier (i.e., a fence).  If you do not have a barrier in place and a child walks into the pool and drowns, you may be sued, depending on the jurisdiction, under the attractive nuisance doctrine.  Of course, the researcher is not a child and has the ability to reason as an adult would.

The issue is more with the manner in which the hotel did not appropriately handle its business.

There were several missteps taken by the hotel, which may have been in place for years.  These services should have been configured correctly in line with the industry standards at the time, which had been in place for years, and updated as needed.

Having this poorly configured system in place and in full operation is a complete dereliction of duty in so many ways (e.g., Telnet, FTP, passwords easily found on the server, not changing the default passwords, etc.).

There is a certain level of competence that is expected, but at times is not applied.  This negligence surely assisted with the issue, creating the attractive nuisance.

This is a bit of a stretch for legal reasoning, yet still should be explored.