The hole in Schneier's story is that you can't just send them any old letter. It has to be a card that you've purchased from them.
It's not much of a revelation: "If I actively purchase a token to have something inoffensive sent to an address, why, the company will send it without verifying that the person who handed over the money is the recipient!".
It would be possible to send packets to the elevator, but the elevator playing them would be another issue. If there is no authentication at all (as it it just plays all packets it receives on UDP 2046) I would imagine you would get an interesting mix of "valid" elevator music and your own "invalid" music.
On the other hand, those first 8 bytes of the packet may be some authentication/verification scheme which would have to be reverse engineered. Also, it may only play UDP packets coming from 234.0.0.2:2046, which would likely mean you would have to convince the DHCP server to assign you that address instead of its intended host.
Wasn't there an article a while back by a guy who stayed at a "smart" hotel and discovered he could turn the lights on and off in other people's rooms? If that's any indication of how this industry is treating security, I say "play some Skynyrd."
> Also, it may only play UDP packets coming from 234.0.0.2:2046, which would likely mean you would have to convince the DHCP server to assign you that address instead of its intended host.
This does not agree with my understanding.
234.0.0.2 is probably the destination address. I think if a DHCP server gave out an address in this range it would be misconfigured.
In 802.3 and 802.11 I think multicast packets are actually broadcast, so this is why you don't need to join the group.
You seem like someone who would be well served by a perusal of the below wikipedia page. Briefly, these packets are destined for an IP address in the 224.0.0.0/4 IP space, meaning multicast. SRC address is neither important nor verified (and since it's UDP on the same broadcast domain, there's really very little that can be done to stop the packets being processed unless the hotel has a very smart access point. They never do).
> *
It would be possible to send packets to the elevator, but the elevator playing them would be another issue. If there is no authentication at all (as it it just plays all packets it receives on UDP 2046) I would imagine you would get an interesting mix of "valid" elevator music and your own "invalid" music.*
At that point (assuming it's the kind of elevator music that uses low-intensity instrumental versions of pop hits), it would be really fun to get the original versions of the songs they're playing and sync up the position and playback rate.
That would definitely be another interesting read! I'm not a networking guy, but I definitely want to know if it is possible to stop the packets from going to their final IP? Can they be intercepted and replaced with other data?
This feels as exciting as what they do with video feeds in Hollywood movies, i.e. where the hacker puts in her own camera loops replacing live feed.
Probably difficult to intercept the packets, but since they're apparently broadcast over the whole hotel network, it would likely be straightforward to send your own out to be mixed in with the real packets and get some sick elevator glitch muzak going.
There was another recent post about a hotel that had android devices controlling the lights, in the entire hotel. Which had no auth protection at all. I'd bet money, it would be the same for the elevator music.
This would be the obvious follow up, then you can make your own "elevator music" and send it out. But that probably depends on understanding what's in the first 8 bytes too :-)
kriro|9 years ago
https://www.schneier.com/blog/archives/2008/03/the_security_...
vacri|9 years ago
It's not much of a revelation: "If I actively purchase a token to have something inoffensive sent to an address, why, the company will send it without verifying that the person who handed over the money is the recipient!".
TheGeminon|9 years ago
On the other hand, those first 8 bytes of the packet may be some authentication/verification scheme which would have to be reverse engineered. Also, it may only play UDP packets coming from 234.0.0.2:2046, which would likely mean you would have to convince the DHCP server to assign you that address instead of its intended host.
niccaluim|9 years ago
kw71|9 years ago
This does not agree with my understanding.
234.0.0.2 is probably the destination address. I think if a DHCP server gave out an address in this range it would be misconfigured.
In 802.3 and 802.11 I think multicast packets are actually broadcast, so this is why you don't need to join the group.
jasonjayr|9 years ago
bipson|9 years ago
joantune|9 years ago
Godel_unicode|9 years ago
https://en.m.wikipedia.org/wiki/Multicast_address
PhasmaFelis|9 years ago
At that point (assuming it's the kind of elevator music that uses low-intensity instrumental versions of pop hits), it would be really fun to get the original versions of the songs they're playing and sync up the position and playback rate.
Khaine|9 years ago
13of40|9 years ago
Or you could just manually configure your computer to use that address.
alfiedotwtf|9 years ago
supersan|9 years ago
This feels as exciting as what they do with video feeds in Hollywood movies, i.e. where the hacker puts in her own camera loops replacing live feed.
corndoge|9 years ago
detaro|9 years ago
vinhboy|9 years ago
kilroy123|9 years ago
There was another recent post about a hotel that had android devices controlling the lights, in the entire hotel. Which had no auth protection at all. I'd bet money, it would be the same for the elevator music.
ChuckMcM|9 years ago
thaumasiotes|9 years ago
itsthecourier|9 years ago
[deleted]