Hacking the Hilton (Spring, 2004) 
---------------------------------
By Estragon

Many hotels are offering high-speed Internet access to people who stay there.
Mostly this is via Ethernet cables, though some hotels also offer wireless.
This article addresses one particular setup that we will probably be seeing a
lot more of, which I got to use and experiment with at a Hilton hotel (at the
Schiphol airport in Amsterdam, when my flight was canceled and I was forced to
stay an extra day).

I think we'll be seeing a lot more of this type of integrated hotel system
because it is very sophisticated and capable. It's not clear whether Hilton is
using a standard vendor system or has merged several different types of
systems, but the outcome is full integration of television (including games and
pay per view), TV-based Internet (similar to WebTV), the hotel's information
system (TV-based, to check out and see bill status), telephone, and of course
high-speed Internet.

You can guess which one is of interest to the folks who are reading this:
high-speed Internet. I will give a rundown of the system and some tips on how
to get some time on the system without paying for it. The details of the fully
integrated system, which Hilton claims it will be rolling out to all hotels in
the future, are probably different than most other hotels with high-speed
Internet. But the Internet portion is pretty standard, and the workarounds are
similar to what I've encountered at some other places.

OK, so here's the drill: You set up your laptop or whatever and plug in the
standard Ethernet cable supplied on the hotel room's desk. You might need to
reboot or otherwise tweak your system for it to recognize there is a new
connection available.

In other hotels, what happens next is that you open your Web browser and try to
visit a page, and instead are redirected to a Web page by the Internet company
(for example, STSN, which is found in many hotels such as the Sheraton chain).

But in the Hilton, once I plugged in, the TV came on and beeped annoyingly (the
same beep they use for a wake-up call. It got my attention!). It said that I
was trying to access the Internet and to enter a room number or PIN using the
TV s remote control.

This is actually a good security feature to make sure you didn t somehow get to
the patch panel or some other open connection. You can't enter someone else s
room number (I tried) because your Cisco unit's address (below) is linked to
your room. So you enter your room number.

Next, it steps you through the process of rebooting your computer (obviously,
intended for Microsoft users), then says to try to access the Internet.

This is where the free access begins. At this point your computer is
(hopefully) connected and has received its IP address via DHCP. However, you
did not yet confirm with the TV that you're accessing the Internet and have not
loaded any Web pages.

The trick is that standard ports other than 80 are now open. I was able to ssh
(port 22) to another computer on the Internet with the -X option (to tunnel X
Window connections). I could then start Mozilla or whatever app remotely and
have it show up on my computer in the hotel room. (Of course, you need to login
via an xterm or similar and have an X server on your computer.)

Unfortunately this bliss only lasted for ten minutes or so. (You might get a
little extra time by using the "Back" on the remote control and otherwise
trying to reset any timers that are running.) Eventually the TV beeps again and
you're back at step one but your ssh session gets blocked.

The good news is you can start over again and get another ten minutes of
connectivity. But I was unable to continue my ssh session (even though the DHCP
IP address was the same) and needed to reconnect.

Why bother trying to get ten minutes? Well, in this hotel (and probably all
those with the same setup) charges for access are by the hour, not the day. I
was paying ten euros per hour (about $12) once I gave up screwing around and
tried to get some work done in segments longer than ten minutes, so I
appreciated the extra "free" time. I checked the next day and also kept track
of my time (the TV beeps after an hour to let you know your time is almost up),
and confirmed that the extra 30 minutes or so I got in ten-minute increments
were not charged.

Later, I saw that for about $40 a day you could get a package with unlimited
Internet plus unlimited pay per view movies and other perks. Well, maybe that s
worth it if you've got the need and the bucks.

Here s a little more information about the configuration. They are using Cisco
575 LRE Customer Premise Equipment (CPE) units in each hotel room. These were
attached to the back of a digital TV and have two network connections, two
power connections, and what looks like an active security monitoring device.
(So be careful if you try to move it around much.)

The Cisco 575 LRE product sheet says it needs to connect to a Catalyst 2900 LRE
XL switch, which is probably where the smarts are. The integration with the TV
and billing system was not clear, but my guess is that the TV got its commands
via the 575. These commands were probably from a separate computer in the
building that also was doing the monitoring and billing for pay per view,
security, etc.

I did all of the above with my portable Mac running OS X. Unfortunately, I didn
t have nscan or other tools to try to probe the network further or sniff the
network, and I didn't have enough time to grab them and experiment. Obviously
if you could see their server for billing, etc. there would be opportunities to
either try to fool the server or get access to it. If Hilton is smart, there
would be very limited access from the server to the rest of the hotel
infrastructure. (Otherwise, for example, access to non-critical services like
in-room Internet and pay-per-view could yield access to critical services like
door key-card encoding.)

In closing, the system I used was definitely very cool, but had an easy and
obvious way of bypassing the charging system for some free Internet. Even
though it costs a lot of money to stay in a Hilton and pay (by the hour!) for
Internet service, my guess is that these types of integrated systems (TV,
Internet, games...) will be a lot more common in the future.