While in at a hotel in Abu Dhabi (which I won’t be naming) I noticed something rather strange that I haven’t seen in other hotels. It was the phone system (as some of you know, I rather like phone systems) This one allowed me to find out the name and room number of the people staying there without talking to anyone.
First, I had to have access to a phone on the hotel’s phone network. This can be accomplished a number of different ways — from calling in the lobby, or next to the elevators, or even inside your own room. After you have found a phone, the next steps are even easier. Luckily, my friend Justin gave me permission to find his room number. While we were in the elevator, I pressed floor 12 and he selected floor 21. I told him that I now knew his floor, and can easily figure out his room number. He asked me how, and I told him I would call him later to let him know.
The dialing plan for inside the hotel is 8, followed by the room number.
When you placed the call it would show you the name of who you are calling as you can see with the above image. So I called all the numbers 8–2100, 8–2101, 8–2102, 8–2103… 8–2111. Then my friend’s name came up: Justin Justin Mr. (They had incorrectly entered his name.)
This took me seconds (as you can see the time 5:39PM didn’t change) since as soon as the phone started the call to ring the other room, the name of the person you are calling would come up. Your name will also come up on their phone and it would ring at least once. I tried this a few times (to hang up as fast as possible) but was unable to get the other person’s phone not to ring. Now let’s take a look at room 2108, which might not be valid room number. In that case the call wouldn’t go through, so you can move on to the next number even faster. If you want to learn more about this phone, take a look at this tutorial. It gives a good overview of the capabilities of the phone.
It should be noted that if two people are staying in a room, the one that has their name first will be listed. Justin Justin had a second person in their room, and I could not find their name using this method.
I was also able to see the history of phone calls from the previous guest. Additionally, I think that the hotel maids might be using the phones to set the status of the room (IE clean or ready to be inspected) I can do a write up on that if there’s interest.
Let’s talk about what I didn’t do. I did not try emulating an Avaya phone on my computer to war dial the hotel and make a directory of the people staying at the hotel. I did not try going through the contacts button. I also didn’t check to see if the default password for the phone was its extension.
So what is going on with this attack? It is basic hand scanning (like war dialing but without a computer) The phone system is doing all the work for you. I could have probably made a directory with first and last names and room numbers in an hour or less. This is a phreaking technique that is very rarely used today but, as you can see, it is still a valid attack.
One of the ways to prevent this attack is to check into a hotel room under someone else’s name or use a fake name. This was talked about on The Privacy, Security, & OSINT Show — Episode 101. I should note I have not tried what he presents below:
“I stayed in Germany, and stayed in several hotels. All of which asked for my passport. I told them all that I lost my passport and had an appointment with the consulate to get another. I was never challenged, every hotel just requested another ID. I presented my gym ID, and was accepted without additional challenge each time.”
Also if you are going to be staying at a hotel and are wondering if this could happen to you, I recommend using OSINT to see what kinda phones they have. You can use the photos people have taken to see what kind of phone they have inside the room before you check in.
As you can see, the photos of the phone aren’t always the greatest so you might have to check a few sites or go through a lot of images. Personally I like using google review photos for this. This image shows that it is an older phone so the above information wouldn’t work.
TL:DR Dial phone numbers from hotel room phone until the person’s name comes up that you are looking for.