A security engineer from Chinese multinational company Tencent hacked into the WiFi system of a hotel in Singapore and received a fine for publicly disclosing administrator login passwords.

Zheng Dutao participated in the capture-the-flag competition during the Hack In The Box security conference in Singapore at the end of August and decided to test the WiFi defenses of the Fragrance Hotel he checked into.

Telnet and FTP backdoor accounts

The researcher found that the hotel's WiFi used the AntLabs' IG3100  gateway for authentication. Googling for details, Dutao learned that the device had backdoor accounts for telnet and FTP connections and the default login credentials were publicly available.

Once on the local network, the researcher had access to a limited shell that still let him poke around and find a server running an old installation of MySQL 4.1.2.

In a technical blog post, Dutao explained how he managed to get out of the limited shell and access the MySQL database (the password was stored in the /etc directory).

Although the original account of the hack has been deleted, at the request of the authorities in Singapore, multiple copies of the technical details are still available online, such as this one (Google Translate).

The password for the gateway's administrator account was present in the  MySQL database, giving Dutao complete control over the device.

By assuming the position of the administrator, he could see how many devices were connected, the number of logged in clients, the system CPU and memory usage.

An attacker with this level of access could intercept the traffic from the clients or modify it to point customers to phishing pages or malware locations.

For his complete disclosure of the vulnerabilities and the method to exploit them, Dutao was fined SGD 5,000 (about 3,600).

Dutao's blog post grew in popularity to the point that the Cyber Security Agency of Singapore (CSA) noticed it and decided to take action against the security researcher.

The security expert pleaded guilty (Chinese) to one count of disclosing a password that offered access to unauthorized individuals.

For his offense, the researcher could have received up to three years in jail and a SGD 10,000 fine.