Singapore authorities have fined a Chinese security researcher with SGD$5,000 (USD$3,600) for hacking into a local hotel’s WiFi system without authorization and then publishing a blog post about it, revealing passwords for the hotel’s internal network.
The incident took place at the end of August, this year, when Zheng Dutao, 23, of China, visited Singapore to attend the Hack In The Box conference that took place in the city.
Zheng took it upon himself, without asking for permission first, to hack into the WiFi network of a Fragrance Hotel branch, where he checked in for the conference’s duration.
TechRepublic: HP offers hackers $10,000 to find bugs in its printers
The researcher, who works for Chinese internet giant Tencent, hacked into the hotel’s internet gateway system, an AntLabs IG3100 device that controls access to the WiFi network for staff and guests alike.
He discovered that the device was using a factory default Telnet password, which he used to gain access to a limited shell on the device.
From here, he used various scripts and exploits to elevate his access and eventually discovered the password for a MySQL database that contained information on the hotel’s internal WiFi network.
The researcher didn’t report the security issues to the hotel but instead wrote a blog post about his findings, which he later shared online. Zheng did not do any damage to the hotel’s WiFi systems but he also did not take any precautions to censor sensitive information from his blog, revealing the hotel’s Telnet and MySQL passwords and other details that hackers could have exploited against a more serious attack on the hotel’s network.
The Cyber Security Agency of Singapore (CSA) discovered Zheng’s blog days later, warned the hotel, and took the researcher into custody.
If the court hadn’t concluded he hacked the hotel as a hobby and with no criminal intent in mind, Zheng would have faced a much harsher penalty that could have landed in him in prison for up to ten years.
Last week, in a similar hotel hacking incident, Chinese police arrested a hacker who was selling data from one of China’s largest hotel chains on the dark web. In that incident, the suspect didn’t appear to have hacked the hotel, but merely found the data on GitHub after a hotel software developer accidentally uploaded it online.