> I decided to write another Python script to save the packet data with offsets. This way it would save the file test1 skipping 1 byte from the packet, test2 skipping 2 bytes and so on.
There is a useful tool called ‘binwalk’ that goes through a binary offset by offset looking for signatures like this. Don’t know if it would’ve worked here, but it’s pretty awesome for finding various data formats hidden in files, and was originally made for analyzing firmware files.
The assumption is that the packet is something like header + file (I don't know if header is the right terminology). You don't know how many bytes the header is, so you increment the header length until the remaining bytes are recognized as a file.
AFAIK often the file type signature is in the beginning of the data, however a proprietary elevator music solution could add their custom headers to the beginning of the stream, or, he might have captured data midstream
It's a way to find the start of the file header when you don't know the original offset. You have to have an idea about the target header format, and in this article the author was looking for an audio stream because each packet ended with LAME3.91UUUUUUU which is an mp3 audio encoder with a funny acronym. You use n+1 so each at each packet you're looking at a different part of the packet.
The idea is that the file within the byte stream does not have a clear start marker (due to the unknown length of the customer headers), so you bruteforce trying to find the file.
There is something missing from the English article, which is a shame. In the French article [1], he talks about another story at the end that implies lights.
He was able to control lights from all the bedrooms in another hotel by putting his laptop between the tablets controlling the lights and the ethernet cables. Funny story, the IP adresses were assigned based on the bedroom number, eg the bedroom 714 had an IP of 172.16.20 7.14.
Edit: my bad, the second story was included in the French article but was written by another person, Matthew Garrett. Here is the story in English: https://mjg59.dreamwidth.org/40505.html
Assigning IPs based on room number seems quite practical.
I noticed something quite similar at my old residential block, where wifi was provided building wide. When you connected to the (open) WiFi network you were in a VLAN with all other unauthenticated devices. Attempts to access the internet directed you to a captive portal. After signing in (it was over HTTPS) you were then punted in to your own VLAN, where you could see all your other authenticated devices on layer 2. The system remembered your MAC so you only had to do the captive portal once
> The system remembered your MAC so you only had to do the captive portal once
Staying in a Marriott in Oklahoma last week and my laptop joined the wifi. Captive portal said "welcome back Adam, click here to connect" WTF? How did they know who I am?
When connecting my phone I got a prompt to enter my room number / name and select higher speeds (which I get free for premium status) and saw the checkbox labeled "remember my device" ah, so, that's how they remembered me.
Did some digging and the last time I was in a Marriott was in 2019 (Thanks Pandemic!). In Tel-Aviv. Equal parts creepy and impressive and slick.
We had something similar in one place I lived, sans VLANs I think, but not sure if it makes any diff?
With wireshark you could figure out the MACs available on the network and use the signin of someone else when they were not online by using their MAC adress.
It's not actually missing from the English article. The French translation just combined two hotel-related articles into one, the light story is from another author.
I did this when we set up a VPN for the our chain of retail stores: store 312 got 10.X.3.12, for example. Extremely handy for status checks since everyone in the company (including local managers) referred to stores by number.
This seams like someone configured multicast (smart!) in the hotel but did not use multicast-aware switches or did not turn on IGMP snooping. So the switches retrieved the package, did not know it was multicast and delivered it as broadcast to all connected endpoints.
> By default, a network switch which is not configured to use IGMP will forward Multicast traffic to all switchports on the switch. Devices will be responsible for filtering out the traffic that they do not want to receive.
IP multicast only works over the broadcast domain, so VLANing off the speakers would work. You’d need multicast routing enabled on your routers to move multicast traffic between VLANs.
IP multicast routing and internetworking is a thing. There used to be working one to many internet TV based on multicast in the 90s (was called Mbone). There's contemporary experimental use of routed multicast on public internets too (see eg https://meetings.internet2.edu/2019-technology-exchange/deta...)
edit: seems the IETF are currently in process of deprecating any-source multicast and recommending people focus on keeping single-source multicast working well in as many networks as possible: https://datatracker.ietf.org/doc/rfc8815/
I was on the local MBone segment at the NASA base (though a Navy installation) I worked at in the late 90s. It pretty much worked like you would expect, some interesting things that happened:
- Multicast frames caused our FDDI switches to reboot, had to filter everywhere those were used
- When setting up our local CoffeeCam, we used Multicast video stream -- this would have been accessable from anywhere (which would cause a security incident, no one can know when the Rear Admiral drinks coffee) so we were careful to monitor outbound advertisements and used a low TTL
- SDR, VIC, VAT, RAT, and all those other tools for doing multicast stuff worked but were very clunky
- NASA TV was broadcast over the MBone and times they would go to break in other broadcasts were continued to stream, I think various cameras were available
True, but it would be difficult for a random device to discover the group in the first place if they aren't being forwarded the packets.
But really, this would just add one more layer of complication that doesn't buy you anything. It's not like this is security data. This is the kind of application where keeping it simple can help the reliability.
Agreed...It's also wonderful to consider possible alternative outcomes: A free self-care hypnosis stream for hackers, a long outdated corporate announcement stream from the 1980s that's been continuously upgraded over the years by amused IT consultants, a forgotten stream from an open mic in the conference room, or maybe even an image data stream from a webcam on the roof...
I once stayed in an Airbnb 'hotel' (an entire building run as a self-service hotel in a downtown of a major city). Doing similar casual tinkering, I found the entire building's security system (keycards, external doors, access logs) on the guest wifi network, behind default passwords. I left a note in Airbnb to the hosts, but never heard back from them.
Some people truly live by "I did nothing wrong, so I have nothing to hide" philosophy and the same think that their guests also don't have nothing to hide and if they do? Maybe other people should see it, so there you go.
I've seen this before where the building is only on AirBnB because it's zoned residental. I once stayed at an AirBnB where the little welcome binder you got when you got to the room included instructions on what to do if the cops knock on the door and start asking questions.
It's one of the caveats of bargain hunting. Sometimes you end up in sketchy situations.
Oh, I stayed in one in Xiamen like that. AirBnB did not make it clear on their website that in Xiamen AirBnB's are illegal (some cities in China they are legal and have a deal to do hotel registration with the police for you). We arrived to a pile of notices on the door "This is an illegal hotel, etc etc". Not super fun.
I had a long stay in a hotel in Europe one time. One day, the TV turned itself on and started playing a French music video. The TV was apparently connected to Wi-Fi and had some sort of Chromecast feature built-in, so anyone could play content to any room. Unfortunately all the settings were locked so I couldn't disable it, and had to keep it unplugged.
This was when I discovered Samsung TVs have a menu option to scan for viruses, which I still think is hilarious.
In 2002 I stayed in a hotel where the TV turned on whenever I turned on the bathroom lights.
The TV was angled so that its IR sensor was aimed towards the bathroom door. I always assumed that it was just interference from the bathroom lights starting up just happening to make the same IR pattern as the ON button on the remote.
I also had a long stay in a hotel, and I plugged in my own chromecast as what was available on their limited cable selection was...lacking.
After two instances of jokers starting to stream something over it I just left it unplugged when I wasn't using it. My bad for introducing an insecure device onto the hotel wifi rather than setting up my own little network, but I was lazy.
My Apple TV, if you choose to make it available to devices nearby (can be turned off entirely), still requires a random code, which it displays on a connection attempt from an unknown device, to be entered on the connecting device.
It’s come in handy, because our neighbors sometimes accidentally choose our Apple TV instead of theirs apparently. The only thing that happens on our side is that the TV turns on and displays the code, but our neighbors don’t see the code and likely realize their mistake then.
I wonder if it would be possible to multicast our own stream and get it played on the elevators. The malicious prankster in me thinks something along the lines of faked radio crosstalk where the other side is in the middle of a disaster. E.g. "This is $NAME of $MILITARY_RANK. The date is April 5, 2021. We have survived the April 4 nuclear attack at $CITY. Is anyone else out there?"
Excellent rundown of how to do tinker with data, and great writing. If you have time please write more articles like that because they're very accessible to noobs like me, and allow me to follow along while experimenting on my machine.
> What the hell? I can’t believe I spent time for this. It’s just elevator music. It is played in the hotel corridors around the elevators. Oh well, at least I can listen to it from my room now.
Recently we had a team building event in a local resort. While waiting for a wine tour, my manager scanned the opened wifi of the winery/hotel from his phone. It turned out that there was a Xiaomi tv in the wifi. We talked about streaming something nsfw there, but we decided that it would be unethical.
If it was in the resort's business center they may have left it intentionally open so that presenters can push their slides to the TV. Streaming NSFW content to it is going to be a quick way to cause inconvenience for everyone.
I don't think that it was the case. There were some other devices and the wifi name wasn't conference room or anything like that. It just looked like a sloppy setup with no password or whatsoever. Keep in mind that we weren't even in the lobby but we were social distancing on the lawn outside.
Elevator music is generally played under a license that allows for public performance (fun trivia: it's a copyright violation for businesses to play the radio in public spaces in the US which is why they pay for elevator music services). I imagine the case here lives on the edge of the license agreement, but presumably it's the music provider's software/hardware that's doing the broadcast and they would either look the other way at what the OP did (perhaps feeling that an unofficial device listening in is within the scope of the license) or, depending on local copyright laws, might file an infringement claim. Most likely, a single case like this would not be worth their effort to do more than send a sternly-worded email/letter, but if, say, someone published a tool to allow downloading the music for offline play, legal action would almost certainly be invoked.
Multicast is used in this scenario because it is cheaper than establishing a TCP connection to 100 devices just to transfer the same packets to each of them separately.
By using multicast, the device playing the music can simply subscribe to the transmission and passively listen in.
For sure, but the hotel's systems should be separated from the guest network. That's a yikes and a half; I wonder what else is out there for someone willing to do a little probing.
I built a system once that used a bunch of inexpensive SBCs. Due to their physical location being close to users who could easily physically tamper with them; I placed them on my client network and treated them just like regular clients rather than putting them on a more trusted network. I'm not going to put a $50 IOT device on a subnet next to $10,000 servers. If you only have a handful of devices maintaining them is easier by throwing them in the least trusted tier and applying standard user monitoring rather than trying to micro manage them. The data they're dealing with is inconsequential to the operation of the business.
By the way I'm not talking about Chinese IOT devices with default root passwords and ssh enabled. I'm talking headless Windows clients.
Reminds me I did a similar thing on virgin trains in the UK once. I found a host visible on the customer wifi that streamed location data using NMEA protocol over tcp, which I guess was used for hardware showing live location somewhere on the train.
He had discovered the stream in the first place using Wireshark, the python scripts were for extracting the data and trimming off the header on each packet.
What would happen if you sent your own UDP packets on the same port? Could you manipulate the elevator music? Or would it turn into noise as the elevators receive packets from both sources?
Not my space, but googling around a bit on how ADTS works, it can include everything needed to send a "playable" bit of MP3 data in a single frame.
So it seems like if you started sending multicast packets, the sound would be interleaved with the other stream. If you used a lower bitrate (they are using 192kbps) you could have a bigger piece of the playing time slice, since each of your packets would be a longer running snippet. Similarly, going mono vs stereo would extend that more.
Given that it's a hotel, lots of the devices probably have default admin passwords though, so shutting off the other stream is probably not hard :)
There is a useful tool called ‘binwalk’ that goes through a binary offset by offset looking for signatures like this. Don’t know if it would’ve worked here, but it’s pretty awesome for finding various data formats hidden in files, and was originally made for analyzing firmware files.