While attending a cybersecurity conference in Singapore, a Chinese citizen decided to hack his hotel’s WiFi
Zheng Dutao, a 23-year-old security engineer from the Chinese internet company Tencent Holdings, was curious to find vulnerabilities in the WiFi server at a branch of the Fragrance Hotel in Singapore. According to specialists in Ethical hacking, Zheng successfully hacked the hotel server and wrote an article on his blog about the incident, a publication in which he revealed the passwords of the hotel administrator’s server. This blog ended up attracting the attention of the Singapore Cybersecurity Agency (CSA).
Zheng arrived in Singapore last month to participate in a “Capture the flag” competition, conducted along with a cybersecurity and ethical hacking conference at the Intercontinental Hotel. The competition was attended by hundreds of cybersecurity specialists facing different hacking tests.
Zheng checked into the Fragrance Hotel on August 27th. One day later, he began to wonder about possible vulnerabilities in the hotel’s WiFi server. He successfully searched the default User ID and password of the hotel’s WiFi system through Google.
After connecting to the hotel’s WiFi gateway, Zheng executed scripts, decrypted files and broken passwords within the next three days before accessing the hotel’s WiFi server database. The hotel server had a vulnerability that Zheng exploded to gain access, also tried to access the WiFi server from the Fragrance branch in the neighborhood known as Little India, but failed. The engineer documented his finding on his personal blog.
“By disclosing this information, Zheng knew that the vulnerability in the hotel’s WiFi server was likely to be exploited by others for illicit purposes, which could cause losses for the organization”, said the city attorney. Zheng had been posting on his blog about server vulnerabilities since 2014, the prosecution said, although this incident is the first time he discovers a vulnerability by himself.
The CSA found its blog and alerted the hotel managers. Zheng eliminated the blog post after he was asked to do so. The company’s IT vice president presented a police report for hacking against Fragrance Hotel.
According to specialists in ethical hacking from the International Institute of Cyber Security, the defense alleged that Zheng appeared to have committed the offense because of curiosity and that no tangible damage had been caused. However, the authorities discovered that the publication was retaken by different forums.
According to the prosecution, since other hotels use the same server model, Zheng’s actions could have led other hotels to be victims of cyberattacks thanks to Zheng’s posts.
For the offense of revealing the hotel passwords without authorization, Zheng could have been imprisoned for up to three years and received a fine of up to $10k USD, although the defense expects him to pay only $5k USD, as he has already spent a few days in jail.