Hotel's Android-based lightswitches are predictably, horribly insecure

[Read the post]

1 Like

Switching the lights is a cute prank, but I wonder if this might also provide a backdoor to every laptop in the building?


So: The room lights still need AC wiring to them. The smart switches cost much more than a simple toggle switch. The switches will use at least a little power even when off. The guests will have to learn a new (never intuitive) way of operating the lights that involves reading a screen before entering a command. The hotel will need to train the staff to maintain this system.

I’m at a loss. Apart from the manufacturer/installer of the system, who benefits?

edit: In the event of a momentary power failure, do these switches reboot themselves, and how long does that take before the lights come back on?


A lot of this has to do with hotel management that doesn’t want to go back into a room to reset it before someon arrives into the room. All the lights will be at their “correct” settings and it’s presented exactly how the owner wants it to be seen.

The fact that so few hotel rooms are ever actually worth being presented perfectly in the first place is irrelevant, but it has everything to do with one less person to turn down the covers and set the room to “night” mode. The cleaner comes in the morning and that’s it. Staffing reduction! Thanks robots!


That makes zero sense. If this is about being able to make sure the room lights are on when the guest walks in so they don’t have to suffer the horrible fate of having to turn the light on themselves, why not install ordinary looking, intuitive, modeless light switches in the room, and then stick a single remote control behind the front desk?

Why spend money on three tablets for each room, and deal with app crashes and broken/stolen tablets and kids messing up the configuration on the light switch trying to figure out how to download candy crush and unhappy clients who need light to find their glasses so they can see to turn on the lights, etc? It’s crazy, and stupid.

Protip: if you have to configure your light switch to operate in kiosk mode, you are doing it wrong.


I hadn’t thought of that, but it explains why the first thing I have to do on entering a hotel room is to turn on the light just inside the door so I can see what I’m doing, then turn off the unnecessary bedside lamps.


Tetris Time!


Right. My 1980’s-vintage X10 system allowed me to program macros, while still providing physical pushbutton wall switches. The security was better too.


I think it’s a big waste of money too but I have to consider that they have their own logic behind the choice. I’m not in the hotels business, maybe they know something I don’t that justifies the cost. Like maybe it’s designed to excite the guests? I stayed in a place with an electric glass door to the bathroom that became opaque when you locked the door. There is no point to this but I did play with it for a few minutes.


Because they want a different look based on the time of day and, most importantly, a way to make sure lights are off when nobody is checked in. It’s basically a centralized control system. You know, like Socialism.
Most non-US places just use a keyswitch that requires you to put in your room key when you walk in, but, you know, ‘Merica gonna’ 'Merica.
Having worked with them as a lighting designer for hotel rooms I can only explain what hoteliers are thinking. I didn’t say it was the best course of action. These decisions were typically made by corporate long before we ever came on the job. I don’t even understand people who put those stupid color changing LEDs in their house. If you need your phone to turn on your lights you’re also doing it wrong.


if it is a good sized building…


but, you know, ‘Merica gonna’ 'Merica.

As yes, clearly this London hotel in in America.


“most importantly, a way to make sure lights are off when nobody is checked in. It’s basically a centralized control system”

Still makes no sense. They have to send a staff member to the room after checkout to make sure the guests didn’t trash the place. Let that person turn out the lights. Gee, how primitive, but it works and costs nothing.

As for time of day based lighting - a remote control to turn on the lights can do that too. If you must have the power to control the lights from the front desk because reasons, there’s still no sane reason to rube goldberg multiple tablet lightswitches in every room. Modeless touch sensitive switches that look and work the way everyone expects them to, wired to allow a remote control at the front desk, solves all these admin issues without exposing your guests to an easily hacked, crash prone, fragile system that costs more and requires extra IT personnel to keep it working.

Someone somewhere decided that tablet based light switches were cool and modern and would impress the guests with a hip Jetsons style experience. And that person was an idiot.


Right. Then you could have an army of women (they’d have to be women) in a room with a giant patchboard jackplugging the lights in and out on instruction from the males in the command and control room.


You’d be surprised how many chains are American owned where they have a consistent way of doing things no matter the country.
The Ace Hotel in London, for example, is basically indistinguishable in service and interiors from the one in New York except in the receptacles.

1 Like

In a comment on the post he mentioned that this network segment was not reachable from the hotel wifi.


Do they offer service? I thought the point was to charge a lot for basically nothing.

(I actually really like Ace Hotels. We stayed in the NY one when we got married)

1 Like

Given enough fiddling, if you can pwn every room, you could stand outside and play Tetris with the hotel.
(aaah, piss. Scooped by @AcerPlatanoides)


I can understand how this would happen. While having security in the system would not be difficult, it would create an on-going data management drama for the hotel. Every time a light switch controller or tablet is changed they have to re-do the mapping between lights, rooms and tablets and if they have to get consultants in its going to be really expensive. So they leave the system open. Its no skin off their back if room 10 can control the lights in room 20, but it is if neither of those rooms have lights at all.


My sister once stayed in a hotel where they tried to charge extra to do up the bed & clean every morning (!), even though they hadn’t made that clear when she made a reservation. My sister gave them hell till they relented. Don’t know where that was, though.