Hilton Hotel

Social Engineering: Penetration testing hotels

Tweet about this on TwitterShare on FacebookShare on RedditShare on Google+Email this to someonePin on Pinterest

At the last TechEd Africa, Microsoft put all the speakers up in The Hilton in Durban. It was around 4AM (a few hours before the closing keynote), and @rmaclean, some other speakers, and myself, decided to see how hard it would be to get into someone’s room.

We came up with the following routine: One person pretends to be almost blackout drunk, and then another sober person helps them to the front desk. The sober person explains that they are trying to get this drunk friend back to the drunk friends room, but they don’t have the key.

You see, our theory here is that they would usually ask for ID etc. but in this case the person is so “drunk” that they can’t answer questions – and certainly wouldn’t be able to find their ID.

The person behind the desk is then left with either giving a new key, or leaving the poor drunk person passed out in reception.

So, first we did this to break into @rudigrobler‘s room (around 4AM). Then we went right back downstairs and did it successfully again to get a keycard to @drusdev‘s room. Dave (working for MS) was giving the closing keynote, so we rushed in shouting “you’re late for the keynote”. He wasn’t impressed.

Now fast forward to two nights ago and @rmaclean, some other speakers, and myself, are in the Protea Hotel (a big hotel chain), near Vodacom World after DevConf ended.

We tried exactly the same thing. And once again, it worked.

So basically, if you’re staying in a hotel, lock the inner lock or latch (if the door has one) while you’re in the room.

And I guess just don’t leave valuables or your detailed assassination plans in the room while you’re not there.

Tweet about this on TwitterShare on FacebookShare on RedditShare on Google+Email this to someonePin on Pinterest