My aunt was visiting DC during the shutdown and decided to end her trip early because there was no end in sight (not to mention the weather wasn’t great either.) She was kind enough to offer the remaining night of her stay to my girlfriend and I (we live just outside of DC.) My aunt gave me a key and the room number and my plan was to meet my girlfriend at the hotel after work. Since she works in DC, she got there first and texted me for the room number. Unfortunately, I’d saved it in an app that I forgot to backup before upgrading the ROM on my phone. I remembered the floor and the last digit of the room number, but couldn’t remember the 10s digit. Not being one to risk getting in trouble for things, my girlfriend waited for me and we tried a couple of rooms before getting in. The rest of the night was spent eating Chinese food, watching some shows online and on TV.
The next morning we woke up and she had to go to work, but I had some hours to kill. Then it dawned on me! All that was required to sign into the complimentary Internet was the last name of the person on the reservation and a room number. Looking at that a different way, if you wanted to find out if someone with a particular last name was staying in a particular room, whether or not access was granted is your true or false. It’s not all that useful to do one at a time, but I had my laptop with me and a VM running BackTrack, so scripting was an obvious option. After some research and trial and error, I managed to write a script using Hydra, a program normally used for brute-force logon (i.e. username and password) attacks. Essentially, you give Hydra a username, a list of passwords, what the username and password fields are named in the HTML form, and a string that is expected to be found if the login was unsuccessful. Hydra runs through the password (or in my case, room number) list and checks the response for the unsuccessful login string. If that string isn’t found, Hydra will print out the username and password combination that produced that response.
In addition to the fields mentioned above, there were some extra fields and a cookie that I included since I could see them being part of the request via Chromium’s developer tools. Another thing to note is that Hydra worked well only for about 10 room numbers per script run.
This was at a popular hotel in Washington D.C. and I believe it to be a major privacy vulnerability due to potential guests of the hotel. I can’t think of any bullet-proof ways around it, but simply putting a limit on the number/frequency of attempts for the same last name and different room numbers could go a long way.
Other use cases include using a common last name to 1) get free WiFi from the hotel without being a guest and 2) charging items to that person’s room.