DEF CON 24 - Weston Hecker - Hacking Hotel Keys and Point of Sale Systems

student0 at April 02,2017
I thought it was kind of funny how throughout the whole presentation, the presenter said that he had expected a greater challenge, especially in hacking the hotel rooms and gaining access to the enterprise management keys. It is rather negligent of hotels to allow default codes of 00000000 or 99999999 for access to any hotel room. I also thought it was negligent of hotels to use encoding vice encryption especially as nowadays, encryption is an expectation, not a superfluous option. I think in the news recently—and I may be mis-remembering— a hotel was hacked and guests were actually locked inside their rooms. The uses of hacked hotel keys can be applied for terrorism purposes as well and not only criminal financial gain.

bschmid5 at April 29,2017
This video was published on August 19, 2016. Weston Hecker discusses hacking hotel keys and point of sale systems. The entire presentation discussed various ways in which hotel property management and point-of-sale systems that use mag stripe readers could be hacked. What I find incredible is the complete and utter disregard of the manufacturers of these systems for basic input validation along with the lax security measures incorporated into their systems. Their system security instead relies on the believe that the vast majority of individuals won’t have the technical means or skills to hack into and exploit their systems. These manufacturers can’t even be bothered to upgrade their systems to the latest version of the Microsoft operating system and continue to run old, outdated OS versions. I once had an opportunity to work with NCR back in the mid 1990’s on an Internet terminal kiosk system based on an NCR ATM platform and was completely taken aback at the fact that they used an unsecure version of the Microsoft OS at the time (Windows NT if I recall correctly) to run their ATMs. Apparently, this hasn’t changed with the manufacturers of point-of-sale systems either.

sstumvoll at May 05,2017
Watching this Def Con video re-emphasized how vulnerable all of our systems are that we rely on in daily life. His discussion of the magspoofer and credit card skimming whether it is Point of Sales Service or your hotel key, allows the bad guy into your life. He demonstrates how easy it is to hack the property management system (PMS) to get to your folio information to give the bad guy enough information to make money off of you. I found it interesting that getting into your room can be as easy as sitting at the pool while running your tools to pick up the info needed to ride a secured elevator and gain access to your room. I was glad to hear him say at the end of his presentation that the newer mag readers and systems used by POS and hotel management systems that are more up to date are less vulnerable and that to protect oneself (assuming he is meaning the vendor and us) you should update to the most recent mag readers and software.

ftj258 at May 07,2017
It is ironic that the two most important thing that should be most secured is left poorly secured even in this day and age. One is the point of sale records and the other is hotels. Point of sale histoy involves millions and millions of people's credit card information .Hotels also involves large amount of people's information. And yet this two systems are the least secured. They are putting not just themselves or the store owner or the hotel owner but all these people using their services are at risk. People use much stronger password in their i-pods that doesn't involve this kind highly sensitive information. I worked in a repair shop that had a point of sale system that would ask the cashier if you want to save the credit card info after each transaction. I was surprised how they allowed that. I don;t it is hard to disable that function. If you are busy and don't pay attention and click yes, then you are saving all the credit card information. It is so easy to take advantage of that it is scary.

pneyzari at May 08,2017
His presentation is very well done and it's clear he's intelligent and skilled in the topic he is discussing. Some of the issues "bad guys" engage in that he's addressed in this video, such as stealing credit card info, were issues that I've been aware of in the past and more or less how they can be done. However, the discussion of hijacking card keys that give one access to your room of stay more or less is a new discussion for me - one on a different level in the sense that an individual's physical privacy is literally violated in addition to the mere stealing of data on the card itself (even if there's no personal information on them).