Tencent engineer attending cybersecurity event fined for Fragrance hotel hacking

·Senior Reporter

24 September 2018 at 7:23 am

While attending a cybersecurity conference in Singapore, a Chinese national decided to hack into the WiFi of the hotel he was staying in.

Zheng Dutao, a 23-year-old security engineer with Chinese internet giant Tencent Holdings, was curious to find any vulnerabilities in the WiFi server of a Fragrance Hotel branch.

Zheng successfully hacked into the server and blogged about it in a post titled “Exploit Singapore Hotels”, in which he published the hotel administrator’s server passwords. The blogpost caught the attention of the Cyber Security Agency of Singapore (CSA).

On Monday (24 September), Zheng was fined $5,000 in the State Courts for the offence. He pleaded guilty to one count of intentionally disclosing a password providing unauthorised access to data belonging to Fragrance Hotel. One similar count was taken into consideration for his sentencing.

Zheng arrived in Singapore last month to participate in a “Capture the Flag” competition, which was held in conjunction with a cybersecurity conference at InterContinental Hotel. The competition pitted security experts who were involved in hacking and counter-hacking.

Zheng checked into Fragrance Hotel at Bugis on 27 August. A day later, he became curious about the possible vulnerabilities in the hotel’s WiFi server. He successfully searched for the hotel WiFi system’s default User ID and password via Google.

After connecting to the WiFi gateway of the hotel, Zheng executed scripts, decrypted files, and cracked passwords over the next three days before gaining access to the database of the hotel’s WiFi server.

The hotel server model had a vulnerability which Zheng exploited to gain access to the server. He also tried to access the WiFi server of Fragrance Hotel’s Little India branch but failed.

Zheng documented his hacking steps on his personal blog. He published the administrator passwords of Fragrance Hotel’s WiFi server in his blogpost and also shared the URL link of his blogpost in a WhatsApp group chat.

“By disclosing these access codes, (Zheng) knew that it was likely that the vulnerability in Fragrance Hotel’s WiFi server would be exploited by others for wrongful purposes, potentially causing losses to the hotel chain,” said the Deputy Public Prosecutor (DPP) Thiagesh Sukumaran.

Zheng had been blogging about server vulnerabilities since 2014, said the prosecution. The incident was the first time he posted about a vulnerability that he discovered himself.

The CSA came across his blog and alerted Fragrance Hotel’s management. Zheng took the blogpost down after he was asked to. The vice president for IT of Fragrance Hotel lodged a police report on 1 September about the hacking.

The prosecution asked for a fine of $5,000, stating that Zheng had appeared to commit the offence out of curiosity and that no “tangible harm” was caused. But the DPP noted the blogpost was shared on more than one forum.

“As a security professional, Zheng would have known that by publicising the administrator passwords on his blog, the potential for the passwords to be used by nefarious elements was high,” said the DPP.

According to the prosecution, as other hotels used the same server model, Zheng’s actions could have led to other hotels being victims of cyber attacks with hackers gaining access to information of hotel guests.

The sentence served to deter foreigners from accessing Singapore systems without authorisation, added the DPP.

Zheng’s lawyer, Anand Nalachandran, pointed out that although there Zheng’s actions caused a heightened risk, no actual harm was caused to the hotel. As Zheng had already spent a few days in custody, the lawyer asked for a fine of not more than $5,000.

For the offence of disclosing the password without authority, Zheng could have been jailed up to three years and fined a maximum $10,000.

Other Singapore stories:

Ex-CHC leader Chew Eng Han wanted to leave Singapore as he ‘felt injustice’ for his High Court case.

Man who pulled out clump of policewoman’s hair jailed 4 months

Ministers should accept pay sacrifice as job is ‘form of NS’: Blackbox survey

Yahoo News Singapore
Tourist arrested for allegedly stealing luxury goods from Changi Airport shops before her flight out of Singapore two months ago
Woman tourist, 38, arrested for allegedly shoplifting over $1,400 worth of goods on two occasions from Changi Airport. Read more.
2 hours ago
Evening Standard
Australia attack: Sixth Sydney stabbings victim named as police say it was 'obvious' women were targeted
Yixuan Chen, 27, was one of six people killed in the attack by Joel Cauchi, who police believe targeted women while largely avoiding men
22 hours ago
AFP News
Beijing half marathon probes 'embarrassing' win by Chinese runner
Beijing half marathon organisers said Monday they were investigating after footage shared widely online appeared to show three African runners deliberately allowing China's He Jie to win.Track and field's international body said it was "aware" of the footage online and the investigation into it.
18 hours ago
People
Salma Hayek Says Her Family Won't Let Her Take Swimsuit Photos in 'Peace': See the Hilariously Sexy Pics
The actress, 57, revealed what it's really like to try and snap the perfect Instagram photo
5 hours ago
HuffPost
Ex-Aide Sums Up Donald Trump’s Attitude To Melania Trump With 3 Words
Stephanie Grisham also recalled a telling telephone call the former president made about his wife.
20 hours ago
Cinema Online
Natalie Tong is ready for a mature relationship
The actress admits that she used to have poor communication skills when it comes to relationships
20 hours ago
INSIDER
4 wedding red flags that are telltale signs a couple won't last, according to a dating coach
A dating and relationships coach, Anwar White, says he can sometimes tell whether a marriage will last from the wedding day.
2 days ago
Evening Standard
Sydney rocked by second mass stabbing as knifeman attacks bishop and worshippers in church
A bishop has reportedly been stabbed in Sydney days after six people were killed in a horrific knife attack in a mall. Live stream footage of a sermon at a church in Wakeley appeared to show a suspect stabbing at Bishop Mar Mari Emmanuel. Footage of the harrowing Wakeley attack was shared widely on social media and worshippers can be heard screaming in horror as the incident unfolds.
18 hours ago
The Telegraph
What happened to David de Gea? The Golden Glove winner who cannot find a team
In the 10 months since David de Gea left Manchester United, the most high-profile free agent on the market has actually worn kit for a different club. The red shirt, however, was that of his esports team Rebels, rather than pulling on a No 1 jersey in the Premier League.
18 hours ago
Cinema Online
Carina Lau turns heads with lobster dress
Netizens joked about the actress "paying tribute" to Aunt Eleven in "Dances of Dragons"
20 hours ago
INSIDER
The most daring looks celebrities wore to Coachella 2024
Many celebrities wore daring looks to Coachella 2024, from sheer dresses and miniskirts to bodysuits with cutouts.
9 hours ago
Evening Standard
Mauricio Pochettino threatens Noni Madueke and Nicolas Jackson after Chelsea penalty clash with Cole Palmer
There were boos around Stamford Bridge as the Chelsea players fought to take a second-half spot-kick
7 hours ago
People
Married Teacher Allegedly Caught Undressed in Back of Car with Teen Student: Police
Erin Ward, 45, was allegedly found inside a car with a 17-year-old student, according to the Douglas County Sheriff’s Office
14 hours ago
Futurism
Trump Supporters Horrified as the Value of Their "Truth Social" Stock Evaporates
Screaming Into the Void Despite an astronomical number of red flags, investors who poured their hard-earned cash into former president Donald Trump's Truth Social meme stock are experiencing a rude awakening. As the Washington Post reports, Trump supporters are seething as the value of the social media platform's parent company Trump Media & Technology Group (TMTG) […]
15 hours ago
The Telegraph
Israel admits Iranian ballistic missiles struck two military bases
US officials believe that at least nine Iranian ballistic missiles hit Israeli air bases on Sunday, evading air defences, although the damage appeared to be minimal.
16 hours ago
INSIDER
A denim-clad Jeff Bezos and Lauren Sánchez spotted at Coachella waiting for Lana Del Rey's performance, reports say
Amazon CEO Jeff Bezos and fiancée Lauren Sanchez were spotted at the Coachella music festival waiting for Lana Del Rey's performance.
2 days ago
The Smart Investor
Looking for Dividends and Growth? 3 Singapore Blue-Chip Stocks You Can Consider Buying
These three blue-chip companies promise a healthy mix of both dividends and growth. The post Looking for Dividends and Growth? 3 Singapore Blue-Chip Stocks You Can Consider Buying appeared first on The Smart Investor.
6 hours ago
Yahoo Lifestyle Singapore
Julie Tan went snowboarding after her breakup, inspired by filming Good Goodbye to step out of her comfort zone; had never planned such trips with ex
Singapore actress Julie Tan shared how the movie Good Goodbye inspired her after the breakup. Read more.
a day ago
BBC
Bondi Junction mall attack: 'Obvious' killer targeted women, Sydney police say
Joel Cauchi, 40, fatally stabbed six people in a crowded Sydney shopping centre on Saturday.
20 hours ago
The Telegraph
The secrets of Bayer Leverkusen’s success (it’s not all about Xabi Alonso)
Bayer Leverkusen secured the 2024 Bundesliga title today with a 5-0 win over Werder Bremen, and a 29-game record of 25 wins, four draws and no defeats. Undefeated in all competitions over 38 games, a record points total is within their grasp over their last five games.
2 days ago

Latest stories