In this segment, I'm going to describe a few physical security bypass techniques that work in hotels, but are applicable elsewhere. I'm not responsible for any trouble you get in if you decide to try any of this the next time you stay at a hotel. Disclaimer: don't carry lock picks regularly unless you know the law and you're prepared to explain to law enforcement WHY you have lock picks. They're illegal to keep on your person in some areas unless it's for work.
Comfort Is King
Do you remember that one teacher in high school whose class was always cold? Maybe you had the rare teacher that kept it too hot. If you never experienced either, surely you've been in a hospital. Or maybe you visited Kansas City for a company retreat in the middle of winter, only to find that the hotel where the retreat is hosted is also cold, you can't get away from it. The main conference area? Cold. Meeting rooms for breakout sessions? Cold. Okay, that's a little specific. But that was my experience at the company retreat for my previous employer. Thankfully the rooms had individual climate controls, but I was pretty frustrated at the cold in our team's meeting room.
Within 5 minutes of being in the meeting room, I decided we were going to be comfortable. There was a smart thermostat on the wall, locked behind a small plastic panel. Luckily for the team and I, I always carry a set of picks. Fortunately, the panel's lock was a low security wafer lock that with two quick up/down jiggles of a double ball pick, opened right up. From there I bumped the temp of the room up a couple degrees, closed the panel, and reset the tumbler. Now, this was a smart thermostat with a central controller. The hotel had a set temperature for the rooms, and it would poll every hour to check what the thermostat was set to. If it wasn't the correct setting, it would change back. So I reset the temperature each time we used the room. We probably could have just asked hotel staff to change the room temp, but that would have taken longer, and the temps may have even been managed somewhere else.
Dependent on the system, another technique to get a more comfortable climate would be to abuse the underlying network protocols in use. A lot of HVAC systems speak modbus. Typically running on port 502, modbus accepts whatever traffic you throw at it (given that it's modbus data, of course), with no authentication. I won't go into much more detail than that, but the next time you have a network pentest, if you have some time, do a scan for port 502 and use one of my readers to look at the register and coil data: https://github.com/AlexKaos32/CoilDump
VIP Floors Unlocked
A lot of the better hotels have some kind of access control on the elevators and stair doors in the form of an RFID card reader, similar to the reader on your room door. How granular the access control happens to be is largely dependent on the hotel. Some will only allow you access to your floor, some allow access to all regular floors, requiring a different card to access the VIP/executive floors. Sometimes these upper floors will have additional amenities: complementary water and soda, a gaming lounge, a separate gym, or even a viewing lounge.
One method to access these floors, is to get on the elevator, and wait. Unless hotel staff gets on the elevator with you, you can usually sit and wait on the elevator. Eventually someone from one of these floors will call the elevator, and as they get on, you get off. They'll likely assume you happened to be going up as they were going down. If you want to avoid any potential confrontation, wear cheap earbuds and play loud music. Cheaper earbuds don't contain the noise as well, so anyone nearby will be able to hear them as the volume increases.
Another method is to just take the stairs. Most of the time even when readers are installed on the stair doors, they aren't active. You'll be able to walk right up to the floor you want. Occasionally hotels will have more than one set of stairs, with different configurations. The main stairwell could have access to all regular floors then only the first VIP floor, requiring a key card to access that floor. The secondary stairwell could be intended for VIP access only and require a card to access the stairwell, but provide access to any floor once you're in, the main door to this stairwell is often near the clerk's desk and left unlocked.
One final exploit here lies with the cleaning crew. You've likely seen the cleaners go in and out of supply rooms on each floor, which are again locked behind an RFID reader. You could clone a badge with a long distance reader, but you'll need to wait around for the cleaners (hint: there's a checkout time for a reason). However, if you wait until after midnight, the cleaners won't be around. The best time for what I'm about to describe is usually around 2 AM during the week, even if someone is there on vacation and has been up all night drinking, they're usually back in their room at this point. There may only be one or two staff members in the entire hotel. There is usually at least one cleaner's supply room left unlocked in each hotel. It will take some time, but if you visit each floor and try each cleaner's door, you'll find it. Once you're in, you'll probably notice another elevator. This is usually an entirely separate elevator shaft that's only available inside the cleaner's rooms. These are almost never protected by additional access control, since you're supposed to use a card to get access to the room in the first place. From here, you'll be able to access any floor, including some staff-only floors.
Hidden Rooms
Speaking of staff-only floors, have you ever thought about how a large hotel operates? I'm not really talking about una La Quinta here. I'm talking anything from a large Marriott to 5 star hotels. The kind with restaurants and stores inside the hotel, maybe even attached to a convention center. You need all sorts of facilities and resources for something like this to operate. Have you ever stopped to think about where everything happens? Where do all those employees come from that aren't behind the reception desk? Well, there are a ton of areas built into the core of a hotel like this. Kitchens, walk-in refrigerators, networking rooms, storage, and offices. Usually after 5 PM, all of the offices are empty. Around 2 hours after the restaurants have closed, everything is empty. The only remaining employees are the reception desk employees, and rarely, 3rd party security staff.
Most of the hotels like this have at least a few public restrooms. They're often positioned near some of the aforementioned office areas. It gives you a great alibi should you happen to be spotted heading in that direction: just pop in the stall for a while. Once the coast is clear, you'll be able to slip around the corner and gain physical access to the hotel network. Someone might even be nice enough to leave a set of credentials to their VMware infrastructure on a sticky note for you.
So Many Screens
Another technique that's best kept for after dark. Have you ever noticed all of those screens? Nearly every display that you see that isn't clearly a TV probably runs a version of Windows. Maybe it's even a raspberry pi or some other hardware running some nix distro. These displays are typically centrally managed so they can be updated with new event information. Can you imagine updating the 10-20 displays in an event center one-by-one?
I won't get into a full overview on kiosk mode escapes and what not, but if you want a way into the network without going in someone's office, this is your ticket. Some of the Windows-based displays can be pulled out of this "display" mode by pressing and holding your finger in one of the corners. Another technique is to find the power button, reboot the system, and stop the display process from happening altogether. Here's a short (terribly filmed) video at my Hidden Systems channel of one of these I found at a hotel: https://www.youtube.com/shorts/pXpnCKtO5t0
Leveraging Shared Spaces
Space is tight in larger cities, so larger hotels often have some shared space. The area may have even once been one large business that went bankrupt, having pieces sold off at a time. One of the worst I've seen is a hotel with a conjoined parking deck. A small concrete divider separated the parking between the hotel and the other business. The other business didn't even use this rear parking, but kept it for overflow. The business had all sorts of access control at other sections of the perimeter; gates, guards, badge readers, cameras, you name it. But nothing other than a bit of concrete at this section, where anyone from the hotel could wander over. To make matters worse, there was even a networking closet visible in this parking area. I monitored that section for quite some time and never saw a single guard patrol out that far. The only cameras around belonged to the hotel. It was almost like it was asking for someone to hop over.
Final Thoughts
I have always tried to apply security (or rather, the practice of infiltration) to any scenario I'm in. Doing this keeps me developing new schools both on and off the job. I hope you're able to take some of these techniques and apply them on your next assessment.
Thanks for reading!