This project is capstone project for Embry-Riddle Aeronautical University done with Tristan Gilliland and Dustin Tabangcura. All work posted below was my contribution to the project and I plan to continue my research.

Over the past two years, as I have been traveling around the United States of America, I took this as an opportunity to explore and understand hotel business center security. This project started when I was flown out of state for a job interview. The hotel was centrally located in the middle of two major companies, a close drive from the airport, and convenient to the hiring event location. Even before this trip, I made a habit to check hotel business centers for any information left behind. In Hawaii it was common to find insurance waivers for activities such as diving or zip lining. At the hotel I stayed at for the job interview I looked for similar type of information. When I got a session on the computer, I realized someone had left a resume behind. From the details on the resume I was able to determine they were going to t he same hiring event, and I confirmed the information next day. When I tell people about my research there are two frequent comments. The first comment being the extreme, “people should never access information from a public computer”. Before the second comment there is laughter followed by the question, “WHAT hotel business center security?”

Due to the sensitive nature of this project I will not list any specific hotel brands or software names. All data collected in this project was handled appropriately and I did not save any documents. Information was put into categories for the report to be presented. This project is purely educational.

A hotel business center is a room or area in a hotel with facilities such as computers and printers that allow guests to work while staying at the hotel. There are two types of business center, connectivity zones or traditional. Connectivity zones are in the lobby and a traditional business center is in its own room. Data gathered for the project comes from both hotels I stayed at as well as hotels I just walked into.

Connectivity zones were easier to just walk into and collect data because they did not require key card access. Traditional business centers can be accessed with or without an RFID hotel key card, it depends on the location. For this project I collected business center data from 22 hotels around the United States and visited a total of 17 states.

Business centers usually use all-in-one computers with kiosk software for handling a user session. Previous research about kiosk software was presented at Defcon 16 and 19 by Paul Craig. At both Defcon conferences Craig presented the interactive Kiosk Attack Tool (iKAT) as a tool that can be accessed through a web browser to make kiosk hacking easy. iKAT has become the de facto standard for kiosk hacking, and the website is blocked by default in kiosk software. This research is over ten years old and hotels can still be vulnerable.

The security reporter Brian Krebs brought up the third law of Microsoft’s ten immutable laws of security when the secret service found key loggers in hotel business centers. “If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore”. I saw this as a theme throughout my research. While kiosk software limited user access to the computer it also took away understanding of the base operating system. In one hotel, a user wondered why the computer did not look or respond like the computer they had back at home. One of the other points that Krebs brings up in the article was the ability to access the BIOS. Only one hotel that I went to had a BIOS password that was not default and could not be easily guessed. Accessing the BIOS enables someone to change the boot order and boot from a different operating system to add, delete, or modify files in the underlying Windows system. Secret service members warned of malware in business centers five years ago and some computers still do not have any protection. Even throughout the same hotel chain completely different computer setups are used.

In both Craig and Krebs research tools were used to manipulate or change business center computers. The goal of this project was to understand as much as possible and break out of the sandbox kiosk environment without the use of tools.

SurveyMonkey was used to collect data without recording any Personal Identifiable Information (PII). Overall data was broken down into four categories, log files, medical info, PII, and other. “Gathered Document Data Type” provides a breakdown of the amount of data recovered.

Log files were the most common data type with 50% of the total data collected. After escaping the kiosk sandbox with Microsoft Word (file, open, browse) a File Explorer window would open, and I had free reign to access any file on the operating system. Even if I could not get the internet history logs from a browser, the web surfing history was backed up and saved by the software. On the terms of use people agree to history being saved and held for 30 days. Findings on saved business center internet history ranged from 10 days to five years. Formatting for the logs listed the date, software, and navigation. The second most common data type was other, which included resumes and business plans. Medical information compromised of 15% of the dataset. Multiple hotels had medical information left behind by a doctor in the printer. PII made up 10% of the dataset and included any document that would allow for an identity to be stolen.

When I walk inside of a hotel, I wanted to know everything. As I got more familiar with the different hotel types I created a process (web research, scouting hotels, physical security, and information security).

Web research involved answering the question “what information about business centers is available online?”. With the use of Google hacking I was able to find documents that outlined hotel cost reports that were marked as trade secret. In the report I found that there are two types of hotel business centers (connectivity zones, and traditional). The cost of building any business center in the United Sates is between $6,000 and $25,000. Money going to the business center includes purchases of computers, a shredder, printers, and other equipment. Computers are recommended to be replaced every two years. Halfway through the research one of the hotels updated the computers from Windows 7 to Windows 8 and replaced the Macintosh. Most users I saw preferred Windows because they were familiar. Hotels offer a ‘virtualized tour’ of the lobby and rooms, this was helpful in specifically choosing to visit locations where the business center is in the lobby.

Avoiding getting caught was crucial when doing research. I did not want to disrupt daily business operations. Before going in I would scout out the location of the hotel to see landmarks and the type of person expected to show up. At a resort location the attire is going to be less casual and walking in with a suit and tie could get some looks. Locations near colleges expected kids to be walking either alone or with parents. Different areas always meant different information. Resort style hotels commonly had insurance or travel data left behind. Hotels in the city had business plans, job information, and hospital information. A common lobby activity is pulling out a wallet and searching for a room key card. I was able to get a total of four room key cards for social engineering purposes by pure luck. People leave keys all over after checking out, including right next to me at the airport or in the business center.

Traditional business centers commonly have key card access to the room. The walls in some traditional business centers were not built to go all the way up to the ceiling. While it may be extreme for someone to vault over the wall, a flash drive could be thrown over. Security awareness training warns employees of plugging in unknown flash drives, that knowledge can be challenged when the flash drive is found on the inside. Tailgating could occur when a legitimate guest with keycard access allows someone to follow in behind them. Even the front desk will let a person into the business center to print out a document. Front desk clerks usually know nothing about the business center. Some hotel chains allow guests to send documents to the printer anywhere in the world and front desk knows nothing about that capability. After the original point of entry there is no computer logon. Everyone has access to these machines.

Another item missing from business centers is a camera and a reliable shredder. None of the computers are bolted down. If someone was in the market for a slightly used all-in-one computer, they could just walk out with one. Upon finding sensitive information in the printer, I asked the front desk if they could properly dispose of the info and they just looked back and responded with “this is bad”.

Anything found on a business center computer was classified as information security. The main protector of information security on hotel business center computers is kiosk software. A user session is created when a person shakes a mouse and the screensaver goes away. Out of the 22 hotels I visited there were only two different kiosk software. After a user session is complete, kiosk software is supposed to delete all data left behind so the next user has no knowledge of what came before them. Reading that was assuring but I was still able to recover documents long after a session ended. Testing this involved going to a hotel and saving a document on the desktop. A week later I came back and the document was still there. That test is not to make people paranoid, at some hotels the information was no longer available after a user session as promised. Business centers are inconsistent. Kiosk software is slow to boot when the machine is restarted. While it is glitchy the ability to access the actual machine exists and the kiosk software will appear as a tab that can be closed. In Macintosh computers the software is visibly more glitchy than Windows.

One of the log files had a download link to the software. Upon testing the software in a virtual machine back at my computer I noticed the version obtained from the logs was ten versions from the current release. Software releases after the version on the computer contained critical exploit patches. Important system settings that needed to be changed manually included BIOS password, boot sequence, deactivate the computer’s power button, and the power schedule.

Exploring further with the software in the virtual machine gave default buttons to escape kiosk software, and default password for admin credentials were found on online software help forms. Escaping was easy, the next goal was to understand the file structure. For 45 minutes I sat at a hotel business center taking pictures of the file structure, then suddenly I was interrupted. A group of people could not print out their travel forms because the layout was different from a computer they used at home; I went over to help. Once the documents were printed out, they thanked me and left with the airlines website still logged in. That day I left after logging out of the other persons account with the file structure of the computer. Computers had more programs installed on the machine than needed and included a program that had unique registration keys for all software installed on the machine.

Towards the beginning of my project I became curious about how much access the software vendor had. I decided to use social engineering and give them a call. The intent of this call was not to deceive, it was to confirm remote access to computers. I called a number that is displayed on the computer upon restarting. Helpdesk answered and I acted as an end-user at a business center. I gave the agent a city and their response gave me the information I was after, “I can see multiple hotels in the area, where are you located?” This meant that they had access to view any information of a computer that has their software. I gave a specific hotel location that I had visited before in that city. They responded by connecting to the machine and moving the mouse. Remote access capability to machines was confirmed, and I hung up. Throughout the call the agent did not ask for any identifying information and just connected to the machine.

Doing this for two years was exciting. I always looked forward to learning something new because everything is inconsistent. When I finish explaining my project to people, they often say I should present this information to the hotel companies or present to an industry forum, I reply that will be the next step. I have tried to reach out but have not had much luck continuing contact. While I have gotten used to seeing this information, PII is still on the line and no one wants to have his or her identity stolen.

P.S. next time you want to edit your entire tax history do not use a business center computer. Do not access any information that can be used to figure out your identity. It is not your computer at home, do not treat it like it is. Log out of your accounts.

References:

https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-craig.pdf

https://www.defcon.org/images/defcon-19/dc-19-presentations/Craig/DEFCON-19-Craig-Internet-Kiosk-Terminals.pdf

https://krebsonsecurity.com/2014/07/beware-keyloggers-at-hotel-business-centers/