Security researcher fined for hacking hotel Wi-Fi and putting passwords on the internet

By Catalin Cimpanu for Zero Day | September 25, 2018 -- 13:08 GMT (06:08 PDT) | Topic: Security

Singapore authorities have fined a Chinese security researcher with SGD$5,000 (USD$3,600) for hacking into a local hotel's Wi-Fi system without authorization and then publishing a blog post about it, revealing passwords for the hotel's internal network.

The incident took place at the end of August, this year, when Zheng Dutao, 23, of China, visited Singapore to attend the Hack In The Box conference that took place in the city.

Zheng took it upon himself, without asking for permission first, to hack into the Wi-Fi network of a Fragrance Hotel branch, where he checked in for the conference's duration.

TechRepublic: HP offers hackers $10,000 to find bugs in its printers

The researcher, who works for Chinese internet giant Tencent, hacked into the hotel's internet gateway system, an AntLabs IG3100 device that controls access to the Wi-Fi network for staff and guests alike.

He discovered that the device was using a factory default Telnet password, which he used to gain access to a limited shell on the device.

From here, he used various scripts and exploits to elevate his access and eventually discovered the password for a MySQL database that contained information on the hotel's internal Wi-Fi network.

The researcher didn't report the security issues to the hotel but instead wrote a blog post about his findings, which he later shared online. Zheng did not do any damage to the hotel's Wi-Fi systems but he also did not take any precautions to censor sensitive information from his blog, revealing the hotel's Telnet and MySQL passwords and other details that hackers could have exploited against a more serious attack on the hotel's network.

CNET: Facebook will pay you to find security holes in third-party apps

The Cyber Security Agency of Singapore (CSA) discovered Zheng's blog days later, warned the hotel, and took the researcher into custody.

According to Chinese news outlets [1, 2, 3], Singaporean authorities fined the researcher on Monday, following an investigation. Zheng is now free to return home.

If the court hadn't concluded he hacked the hotel as a hobby and with no criminal intent in mind, Zheng would have faced a much harsher penalty that could have landed in him in prison for up to ten years.

Last week, in a similar hotel hacking incident, Chinese police arrested a hacker who was selling data from one of China's largest hotel chains on the dark web. In that incident, the suspect didn't appear to have hacked the hotel, but merely found the data on GitHub after a hotel software developer accidentally uploaded it online.

Related coverage: