The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Saturday, July 30, 2005
In many hotels these days, you can use the room's television to check your bill, check your e-mail and check out of your room. Will miracles never cease? I, for one, never gave any thought to how secure these systems are. That's pretty naive.
If it moves, whirs, clicks, plugs in or connects anything to anything else, someone will try to figure out how it works and what mischief can be accomplished with it. Wired news has interviewed a hacker who, in a fit of boredom and a desire to watch pay movies for free, has figured out the system. What he has found is more than a bit troubling:
Wired News: A Hacker Games the Hotel"... But one of the most serious vulnerabilities he found was in the billing system. Hotel guests can use their TV to check their account balance. The bill is tied to the room number, which in turn has a unique address that's assigned to the TV.
Laurie could view the bills of other guests and see their room numbers simply by going to a menu that displayed the address of the TV in his room and changing a number in the address to make the TV think it was in a different room.
"If I change that address -- it was A161 and I've now changed it to A162 -- I'm now looking at the bill of the guy next door," he said.
If he wanted to know the names and room numbers of all the guests in a hotel, he could automate the process by writing a simple script to call up sequential TV addresses, then set a video camera on a tripod in front of the TV to capture the bills as they came up.
"That tells me who's in there, who's sharing (the room) with who and what they've been doing," he said. This sort of hack would be useful to any number of people, including paparazzi stalking celebrities and private detectives hired by spouses.
"Why would they connect (the TV) to a billing system?" Laurie asked. "Because they don't think. As far as the hotel is concerned, you're the only person who can see (your bill). But they're sending you confidential data over the air through a broadcast system. It's the equivalent of running an open wireless access point. If I tune my TV to your channel, then I get to see what you're doing."
Laurie could view certain activities of other guests by tuning to other channels or by scanning through all possible channels in the system. That's because when a guest purchases premium content or TV internet access, the hotel system assigns a channel to the guest's room through which to deliver the service. All Laurie had to do was surf the channels.
He produced a slide of his TV screen showing another hotel guest sifting through business proposals in his e-mail.
"He's happily typing away in his room thinking he's privately viewing his e-mail," Laurie said. "But I could be anywhere else in the building watching what's going on (from) the TV. If I was a business rival staying in the same hotel at a conference, I could do a little corporate espionage. I see the (bid) proposal he's putting in and I could go in and put one in that's 10 bucks cheaper." ..."
Labels: information breaches
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.