Darkhotel – Security concern or hyperbole?

What is Darkhotel?

Darkhotel is the name given by security experts Kaspersky Lab to the latest in a series of high profile Advanced Persistent Threat (APT) malware. The unusual feature of this APT is that it appears to target senior business executives whilst they are staying in hotels.

The Kaspersky researchers first became aware of the hotel attacks in January 2014 when they received automated system reports indicating a cluster of customer infections. They traced the infections to the networks of a couple of hotels in Asia.

Although Kaspersky has christened it “Darkhotel”, others know the malware as Tapoux, Pioneer or Nemin. Similar attacks were first seen in 2007 and the FBI even issued a warning about it in May 2012.

How does it work?

The Kaspersky Lab team believes that what happens is along the following lines:

  • The Darkhotel threat actor compromises selected luxury hotels
  • They target specific business executives who intend to stay in one of these hotels
  • After check-in the business traveller attempts to use the WiFi
  • They confirm their right to use the WiFi using last name and room number – thus confirming whether they are a target
  • The attackers offer an update for a legitimate software package
  • The package is actually an installer for a backdoor into the business executives laptop
  • The attackers then use a set of tools to obtain data, cached passwords, log in credentials and other private information

In what way is this attack targeted?

The report states that Darkhotel appeared to target particular business executives. This view is given further weight by the confirmation that about 90% of the infections are located in Japan, Taiwan, China, Russia and South Korea.

It is also interesting to note that Darkhotel appeared to target people working in the following industries:

  • Very large electronics manufacturing
  • Investment capital and private equity
  • Pharmaceuticals
  • Cosmetics and chemicals manufacturing offshoring and sales
  • Automotive manufacturer offshoring services
  • Automotive assembly, distribution, sales, and services
  • Defense industrial base
  • Law enforcement and military services

The report states that one of the interesting aspects of the delivery mechanism is that hotels in question required all guests to use their last name and room number when authenticating yet only very few guests received the Darkhotel package.

Indeed when Kaspersky Lab employees visited the hotel with “honeypot” machines, they didn’t attract a Darkhotel attack.

The report confirms the very specific and targeted nature of the APT attack when it states

“In this case, the Darkhotel attackers wait for their victim to connect to the Internet over the hotel Wi-Fi or the cable in their room. There is a very strong likelihood the targets will connect over these resources, and the attackers rely on that likelihood, much like at a watering hole. But the attackers also maintain truly precise targeting information over the victim’s visit, much like they would know a victim’s e-mail address and content interests in a spearphishing attack. While setting up the attack, the Darkhotel attackers knew the target’s expected arrival and departure times, room number, and full name, among other data. This data enables the attackers to present the malicious iframe precisely to that individual target. So, here we have yet another unique characteristic of this attacker—they employ a loosely certain but highly precise offensive approach.”

Evidence has shown that the software components of the attack are meticulously removed. This makes tracking the attacker significantly more challenging.

How does this fit with real life WiFi provision in hotels

As noted above, the Kaspersky Lab report states that particular individuals are targeted in advance.   Many of the subsequent new items about this threat and the Kaspersky Lab report have gone on to talk about the hotel network when referring to the hotel’s WiFi network.

However, whilst this is understandable shorthand, it conceals the true nature of WiFi provision in international hotels in that only very few international chains manage their own network. In most cases a third party service provider manages the WiFi network on behalf of the hotel. It is worth noting that although only a proportion of hotel service providers use name / room number authentication, it is common amongst international chains as a way of ensuring that only their guests receive WiFi access from that hotel.

Typically the hotel provider’s network only becomes aware of a particular guest on check-in and there would be no advance warning of this within the system. For many executives the time between check-in and using the WiFi would be very short.

This means that if Darkhotel is to target a particular guest in advance, then either

  • access would be needed to both the Hotel reservation system and the provider’s WiFi network; or
  • the provider’s network would need to be being scanned for new potentially “interesting” targets on an almost permanent basis with the decision to deploy being made in less than five minutes.

The comment within the Kaspersky Lab report that the Darkhotel attackers “knew the target’s expected arrival and departure times” imply that access to the hotel’s reservation system, whether via a system hack or through human interaction, was possible.

Is the risk real?

Kaspersky Lab has identified over 3,000 Darkhotel attacks so it is definitely a real threat for some people. However, the acknowledged targeted nature of the threat also makes it clear that the risk does not apply to all people equally. Additionally, Kaspersky Lab states that fewer than a dozen hotels have been the site of an attack so far.

It seems that for select individuals it is a clear concern but it is not something that should drive the global business travelling community to paranoid reactions. Clearly good practice measures such as not downloading software on public WiFi measures and updating security software before travelling still apply.

What should a hotel do?

To a large extent hotels shouldn’t do anything special as a result of the information now available on Darkhotel since good practice would imply that they were already undertaking most if not all of what I am about to recommend. However, in the event that hotels have not been taking any security steps prior to this point, this should provide the spur to immediate action.

Firstly and as Kevin Mitnick, once described as the world’s most wanted hacker, clearly explains in his book “The Art Of Deception“ the importance of social engineering (i.e. obtaining confidential information or access through talking with people) is often overlooked as part of a security review despite being the easiest and most common way to compromise security. Hoteliers should continually emphasise the importance of friendly vigilance to all their staff.

Secondly, since two different systems appear to be compromised as part of the Darkhotel attack hoteliers should consider both systems when determining their overall approach. With respect to the hotel’s own systems, it is necessary to undertake both internal and external reviews. Hotels should engage an external security company, since we are naturally blind to holes in networks we have designed, to assess their security measures. This should include penetration testing and confirming that security best practices are followed in areas such as password policies.

Hoteliers should also undertake internal reviews. These should start at a central level with a review standard designs and policies.   From there they can progress to a random audit of both each property and each system implementation at least once every given period of time. Given the risks and concerns highlighted by Darkhotel, particular attention should be paid to security around IP PMS interfaces.

Finally, hoteliers should contact their WiFi provider and ask for their response to the Darkhotel threat with respect to the provider’s own system. I would expect a reputable provider to have an external security assessment of their system every two to three years with regular internal audits in the intervening period. These internal audits should follow up on any areas of potential weakness highlighted in the external review. However, given that many, if not all, of the major international WiFi providers have undertaken a significant product redesign in the last 18 months or so it is important to ensure that the external security audit is on the same system which is installed in your hotel!

Darkhotel may be a blessing in disguise for most hoteliers and business travellers. The select and targeted nature of the attacks mean that not many business executives or hotels will have suffered from them directly but the attention they have brought to various risks may lead to a more secure future for the industry.