Android Kiosk Tablet Flaw Let Hackers Control AC and Lights

Home/Android malware, Internet Security, malicious cyber actors, Mobile Security, Security Advisory, Security Update/Android Kiosk Tablet Flaw Let Hackers Control AC and Lights

Android Kiosk Tablet Flaw Let Hackers Control AC and Lights

A flaw in Android kiosk tablets at luxury hotels let attackers remotely control room functions, risking guest privacy and security, according to LAC Co., Ltd. researchers.

Common in upscale hotels, these devices control amenities like AC, lighting, and room service.

Vulnerabilities in Android Kiosk Mode Tablets

USB Debugging Exploitation
Researchers found that USB debugging was enabled under certain conditions. By rebooting the tablet and connecting it via USB, they bypassed security settings, gaining access to sensitive data. This allowed attackers to install malware or use cameras and microphones for eavesdropping.

Temporary Settings Change on Reboot
During the brief moment between the Android system starting and the kiosk app loading, attackers could access system settings, enable debugging, or adjust critical options.

Safe Mode Exploit
Booting the tablet in Safe Mode disabled the kiosk app, exposing the home screen. This allowed attackers to navigate the device, change settings, and exploit its features freely.

Potential for Root Access
Attackers could unlock the bootloader, surprisingly permitted on these tablets, to gain root access. This allowed full device control, installation of spyware, and deeper system compromise.

Network-Based Attacks
Guest room tablets connected to a central server for controlling lighting and AC. Researchers discovered weak authentication between the tablets and server. Attackers could impersonate another room’s device by altering network request parameters, taking control of amenities or intercepting chat messages with the concierge.

Weak Wi-Fi Security
The tablets used a hidden Wi-Fi network secured only by a passphrase stored in the app code. Once cracked, attackers could access the network, exposing multiple rooms to potential attacks.

The investigation revealed widespread vulnerabilities in kiosk systems across hotels nationwide, showing a systemic flaw in Android tablet security.

Consequences of these flaws:

  • Remote Control: Attackers could control room amenities like AC, lights, and service requests.
  • Privacy Breach: Access to cameras, microphones, or chat logs.
  • Reputation Damage: Hotels risk backlash for compromising guest safety.

The flaws were reported to affected hotels and developers via the Information-technology Promotion Agency (IPA).

All known issues have been patched, and systems updated. Recommended fixes for developers:

  • Disable USB Debugging: Only enable it during authorized maintenance.
  • Restrict System Access: Make the kiosk app the default launcher to prevent changes during reboot.
  • Enhance Network Security: Use WPA Enterprise and client certificates for Wi-Fi.
  • Implement Server-Side Authentication: Use unique credentials for each tablet to prevent unauthorized access.
  • Obfuscate App Code: Use encryption and security practices to protect the code.

This highlights the need for strong security in IoT devices, especially in sensitive settings like hotels.

Developers should account for potential security risks, while hotels must prioritize guest safety through rigorous testing of third-party systems.

The Android kiosk tablet flaws show the balance between convenience and security. Securing these devices must be a top priority for both developers and hoteliers.

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!