Security researcher fined for hacking hotel Wi-Fi and putting passwords on the internet

Tencent security researcher hacks hotel without authorization and publishes a blog post about it containing unredacted information.
Written by Catalin Cimpanu, Contributor

Singapore authorities have fined a Chinese security researcher with SGD$5,000 (USD$3,600) for hacking into a local hotel's Wi-Fi system without authorization and then publishing a blog post about it, revealing passwords for the hotel's internal network.

The incident took place at the end of August, this year, when Zheng Dutao, 23, of China, visited Singapore to attend the Hack In The Box conference that took place in the city.

Zheng took it upon himself, without asking for permission first, to hack into the Wi-Fi network of a Fragrance Hotel branch, where he checked in for the conference's duration.

Also: HP offers hackers $10,000 to find bugs in its printers TechRepublic

The researcher, who works for Chinese internet giant Tencent, hacked into the hotel's internet gateway system, an AntLabs IG3100 device that controls access to the Wi-Fi network for staff and guests alike.

He discovered that the device was using a factory default Telnet password, which he used to gain access to a limited shell on the device.

From here, he used various scripts and exploits to elevate his access and eventually discovered the password for a MySQL database that contained information on the hotel's internal Wi-Fi network.

The researcher didn't report the security issues to the hotel but instead wrote a blog post about his findings, which he later shared online. Zheng did not do any damage to the hotel's Wi-Fi systems but he also did not take any precautions to censor sensitive information from his blog, revealing the hotel's Telnet and MySQL passwords and other details that hackers could have exploited against a more serious attack on the hotel's network.

Also: Facebook will pay you to find security holes in third-party apps CNET

The Cyber Security Agency of Singapore (CSA) discovered Zheng's blog days later, warned the hotel, and took the researcher into custody.

According to Chinese news outlets [ 1, 2, 3], Singaporean authorities fined the researcher on Monday, following an investigation. Zheng is now free to return home.

If the court hadn't concluded he hacked the hotel as a hobby and with no criminal intent in mind, Zheng would have faced a much harsher penalty that could have landed in him in prison for up to ten years.

Last week, in a similar hotel hacking incident, Chinese police arrested a hacker who was selling data from one of China's largest hotel chains on the dark web. In that incident, the suspect didn't appear to have hacked the hotel, but merely found the data on GitHub after a hotel software developer accidentally uploaded it online.

UPDATE: We have removed the link to Zheng's blog post to prevent abuse of similar AntLabs equipment.

These are 2018's biggest hacks, leaks, and data breaches

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

Five computer security questions you must be able to answer right now

If you can't answer these basic questions, your security could be at risk.

Critical infrastructure will have to operate if there's malware on it or not

Retired US Air Force cyber-security expert shares his thoughts on the future of critical infrastructure security.

Ordinary Wi-Fi devices can be used to detect suspicious luggage, bombs, weapons

Researchers turn ordinary WiFi devices in rudimentary scanners that can identify potentially dangerous objects hidden inside bags or luggage.

Related stories:

Editorial standards