A few months ago we were hired to test the newest security features on a chain of very exclusive hotels. These features included their newly custom written software for hotel management, their LAN and WAN and their physical security. We needed to not only bypass the hotel physical security but also see if we could get to a specific room and leave there a note (as requested by the hotel's security officer).
This post is devided in 3 parts. Part 1, this one, is the introduction to the project. Part 2 focuses on the digital aspects of the project and Part 3 will focus on the actual run.
The hotel spent a lot of money on both their digital and physical security defences and it was a very interesting and fun project to work on.
As always, we took time to recon the target, gather both open source and human (social engineer) intelligence and built a detailed map of their digital footprint. Any piece of information we could find was dumped into the map.
After we went to different hotel locations, a pattern began to emerge and we thought we could exploit this. So, we began planning.
The main challenge here was to defeat the lock on the room we needed to access. These were not the typical proximity or magnetic cards locks. The hotel installed a custom made system that was harder to bypass. They only way we thought we could access the room was with a master key, one that maybe a cleaning crew or a bellman would have.
So we focused on this, however as always, we had a 10th man strategy as well and one of the guys on the team focus on the digital side, just in case. We needed to test their network anyway and it was a good Plan B.
While we were trying to get information about the lock in question, Z began working on the digital intrussion. The public facing network seemed to be secure, however nothing is 100% secure. There is always something that the defenders forgot, that's why a red team exercise is always important. Z knows this and he started to look at the problem from a different direction: the partners and service providers for the hotel.
A hotel needs a lot of things to function properly. From food and beberages, to technical services such as plumbing, electricity and communications, to cable/satellite TV services, to countless others. Most of the time these services are provided by 3rd parties and they are a weak link on the overall security. They need network access from the outside for example. The employees of these companies often change and new faces appear all the time, making it easier for a red team to exploit this for social engineeing.