While attending a cybersecurity conference in Singapore, a Chinese national decided to hack into the WiFi of the hotel he was staying in.
Zheng Dutao, a 23-year-old security engineer with Chinese internet giant Tencent Holdings, was curious to find any vulnerabilities in the WiFi server of a Fragrance Hotel branch.
Zheng successfully hacked into the server and blogged about it in a post titled “Exploit Singapore Hotels”, in which he published the hotel administrator’s server passwords. The blogpost caught the attention of the Cyber Security Agency of Singapore (CSA).
On Monday (24 September), Zheng was fined $5,000 in the State Courts for the offence. He pleaded guilty to one count of intentionally disclosing a password providing unauthorised access to data belonging to Fragrance Hotel. One similar count was taken into consideration for his sentencing.
Zheng arrived in Singapore last month to participate in a “Capture the Flag” competition, which was held in conjunction with a cybersecurity conference at InterContinental Hotel. The competition pitted security experts who were involved in hacking and counter-hacking.
Zheng checked into Fragrance Hotel at Bugis on 27 August. A day later, he became curious about the possible vulnerabilities in the hotel’s WiFi server. He successfully searched for the hotel WiFi system’s default User ID and password via Google.
After connecting to the WiFi gateway of the hotel, Zheng executed scripts, decrypted files, and cracked passwords over the next three days before gaining access to the database of the hotel’s WiFi server.
The hotel server model had a vulnerability which Zheng exploited to gain access to the server. He also tried to access the WiFi server of Fragrance Hotel’s Little India branch but failed.
Zheng documented his hacking steps on his personal blog. He published the administrator passwords of Fragrance Hotel’s WiFi server in his blogpost and also shared the URL link of his blogpost in a WhatsApp group chat.
“By disclosing these access codes, (Zheng) knew that it was likely that the vulnerability in Fragrance Hotel’s WiFi server would be exploited by others for wrongful purposes, potentially causing losses to the hotel chain,” said the Deputy Public Prosecutor (DPP) Thiagesh Sukumaran.
Zheng had been blogging about server vulnerabilities since 2014, said the prosecution. The incident was the first time he posted about a vulnerability that he discovered himself.
The CSA came across his blog and alerted Fragrance Hotel’s management. Zheng took the blogpost down after he was asked to. The vice president for IT of Fragrance Hotel lodged a police report on 1 September about the hacking.
The prosecution asked for a fine of $5,000, stating that Zheng had appeared to commit the offence out of curiosity and that no “tangible harm” was caused. But the DPP noted the blogpost was shared on more than one forum.
“As a security professional, Zheng would have known that by publicising the administrator passwords on his blog, the potential for the passwords to be used by nefarious elements was high,” said the DPP.
According to the prosecution, as other hotels used the same server model, Zheng’s actions could have led to other hotels being victims of cyber attacks with hackers gaining access to information of hotel guests.
The sentence served to deter foreigners from accessing Singapore systems without authorisation, added the DPP.
Zheng’s lawyer, Anand Nalachandran, pointed out that although there Zheng’s actions caused a heightened risk, no actual harm was caused to the hotel. As Zheng had already spent a few days in custody, the lawyer asked for a fine of not more than $5,000.
For the offence of disclosing the password without authority, Zheng could have been jailed up to three years and fined a maximum $10,000.
Other Singapore stories: