The day I hacked a hotel, Purism CTO

'The Internet of Things is really horrible' says Zlatan Todorić

Hacking your hotel room is becoming to techies what trashing it was to rockers in the 1970s. A short while ago, while staying at a London hotel, security developer Matthew Garrett hacked the light controls in his room, then blogged about it. There have been other hotel hacks documented too, with cheeky geeks taking advantage of proprietors' eagerness to be seen as being cutting edge.

"I did the same thing," said Zlatan Todorić, CTO at Purism, a developer of laptops and open source software, speaking to Computing at the Privacy Advantage event in London last week.

"I noticed that there was this sort of smartphone to control all the lights and I thought ah, this is some sort of IoT device. If it can send and receive signals it just have a network interface, and if it has a network interface then awesome, it's exploitable."

With a little effort Todorić hacked the system and succeeded in controlling the lights in his room from his laptop.

"Then I thought, if I can hack my lights I can probably do the same for my neighbour's room and I gave him a special light show and I could hear him shouting and complaining ‘what the hell's going on?'" he laughed.

"So, then I thought let's take it to the next step. The servers must be on the same network, so I looked around and found them in the clear, unprotected. So I hacked their servers and then I went down and told them what I'd done and said 'you really need to change this'."

So far, so geeky hi-jinks, but what this shows is just how vulnerable such systems are to those with a bit of technical know-how if they are not properly secured. As "smart" devices proliferate, they open up a huge range of potential entry points for hackers.

"The Internet of Things is really horrible," Todorić said. "Everyone's excited by their toaster being smart, but it's not smart, it's stupid. There's no such thing as a smart device. [A human being] creates software that says computationally how that thing will work, and that's all it does. It's stupid.

"Don't give information to your fridge. Don't give your information to a toaster. If I hack your toaster and it's connected to your phone I'm going to hack your phone. If I hack your phone I can get to your inbox and I can create fake data about you if I want to."

In Computing's latest research, device and data security (or the lack thereof) and a need for proper data protection and privacy frameworks were found to be the chief impediments to the wider adoption of connected IoT devices.

‘Really horrible' or potential force for good? Join the debate at Computing's Internet of Things Business Summit 2016 on 12 May - it's free for qualifying end users