Security Researcher Fined For Hacking Hotel Wi-Fi And Putting Passwords On The Internet
(Sep 25, 2018)
A Chinese security researcher was fined by Singapore authorities after he compromised a hotel’s WiFi system without authorisation and published the passwords for the internal network in a blog post. He brute forced the internet gateway system device, which was using the default password, and subsequently utilised scripts and exploits to gain elevated access on the system. He then found the password for the MySQL database with information on the hotel’s internal network. He did not report these security issues to the hotel, but published a public blog piece about it that contained all the passwords for threat actors to take advantage of and use in a potential future attack. He was arrested by authorities and fined for the breach.
Recommendation: As a security researcher, it is your duty to report any vulnerabilities to an organisation should you discover them, especially one like this where the impact could be severe in the instance of a legitimate attack. As well, it is unethical to “test” the security of an organisation’s devices, even if the intentions are good, without their explicit consent. As an organisation, ensure you changed default passwords to new, more complex passwords to avoid easy brute force tactics. As well, ensure your databases and sensitive internal information are properly secured and stored to prevent threat actors manipulating it.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.