President Obama will no longer stay in the Waldorf Astoria Hotel when he visits New York, breaking a tradition that goes back over 80 years. Government officials aren’t saying, but it is generally believed that all US government officials will now be avoiding the hotel because they believe the Chinese government may be using it to spy on residents and guests there. The reason for this sudden concern is the fact that the hotel was purchased by China’s Anbang Insurance Group last October. This wouldn’t be a big deal if it were purchased by a group from another country, but China is well-known to use hotels as espionage hubs. As the Department of State notes on their China travel advisory website, “hotel rooms (including meeting rooms), offices, cars, taxis, telephones, Internet usage, and fax machines may be monitored onsite or remotely, and personal possessions in hotel rooms, including computers, may be searched without your consent or knowledge. Business travelers should be particularly mindful that trade secrets, negotiating positions, and other business-sensitive information may be taken and shared with local interests.”
If the Chinese government had a hand in the purchase of this hotel, they couldn’t have chosen a better one. Besides the fact that US presidents stay there when they come to New York, the US ambassador to the UN has a permanent residence there. In addition, every September, two floors of the hotel are taken over by US diplomats who support the president during the annual General Assembly session. The final straw may have been the announcement that the new purchasers were planning to start on a major renovation for the hotel.
But is this just paranoia or is the concern justified? To answer this question, it’s necessary to give a brief history. Back in 2008, Sen. Sam Brownback, R-Kan., held a news conference during which he showed a document from China’s Public Security Bureau. The document contained information indicating that the Chinese government required hotels to use monitoring equipment on their guests. The disturbing part of the document was that the hotels would be required to use this surveillance software whether they were Chinese or foreign-owned. If they failed to comply, the document claimed they would face “severe retaliation”. Brownback claimed he was forwarded the document from major international hotel chains that had received it. They worried, legitimately, that if they did not comply, they may have to close their lucrative operations in China or, at the very least, lose access to internet connections.
The infamous Darkhotel malware has been traced back to 2007; one year before the appearance of the document mentioned above. Darkhotel targets specific, high-level travelers, usually in Asian countries. The malware works by compromising a hotel’s Wi-Fi connections. Darkhotel’s goal is to gather information. Although Darkhotel has been said to originate in South Korea, it would be hard to imagine that Chinese security experts would not be aware of it. They certainly could have used it as a template to create their own, similar malware. In fact, it would be surprising if they haven’t. Thus, it is quite possible that the Chinese government had some sophisticated malware at their disposal when they sent the above letter.
In June, Kaspersky reported finding highly sophisticated hotel-attacking malware based on 2011’s Duqu malware. They called it Duqu 2.0. It was specifically designed to spy on communications within hotels and, more specifically, to spy on the US-Iran nuclear power negotiations. Duqu 2.0 is universally attributed to Israel. It would be hard to overstate just how sophisticated this malware is and how difficult it is to remove. On top of that, Kaspersky Labs later announced that the malware drivers behind Duqu 2.0 were loaded onto machines by using legitimate digital certificates. Basically, a digital certificate is used to prove that what is being installed on a machine is the real thing. These Duqu 2.0 certificates were authenticated by VeriSign. In other words, Foxconn issues its own certification based on VeriSign’s ‘stamp of approval’. This means that any software or component signed with a certificate from Foxconn would automatically be considered as legitimate and would, subsequently, be installed on a device without question. As it turns out, Foxconn’s customers are among the most well-known in the world, including Microsoft, Dell, Google, BlackBerry, Amazon, Apple, and Sony. In other words, any products from any of these customers could have been compromised at the manufacturing/assembly level. This brings up an interesting point, because it seems the only way that the designers of Duqu 2.0 could have gotten the legitimate certificates would be to hack into the company and steal them. It should be mentioned that VeriSign was hacked in 2010 but the company would not reveal what was stolen or compromised.
In the context of this post, it may be important to note that Foxconn (a.k.a Hon Hai Precision Industry Co., Ltd.) was first formed in China in 1988, later moved its headquarters to Taiwan, and now has its biggest factory in mainland China, along with 11 others. Contrary to what one might think, there is no love lost between Foxconn and the Chinese government. The government was especially miffed when Foxconn announced it would be building more factories in Taiwan. Thus, the Chinese government would lose no sleep if it found that Foxconn had its network breached and its reputation put into question. Would they have gone so far as to do this themselves? Well, that’s simply speculation. However, a back-engineered Duqu 2.0 with legitimate certificates would be an ideal way to set up a hotel espionage campaign. Malware already on a device could be remotely triggered to begin its work whenever the operators behind it wanted information.
To add yet one more level to the paranoia, justified or not, around hotel security, it is necessary to investigate one of the suggested ways to keep secure when staying in a hotel. This suggestion is to use a VPN. Just last month, RSA Security LLC announced that a Chinese VPN that is used to evade China’s firewall has been found to have nodes infected with malware. The nodes were actually associated with reputable companies whose security had been compromised. This is all to say that even using a VPN while staying at a hotel is no guarantee that your information will remain secure.
So that brings us back to the original question: Is the US government just being paranoid about security at the Waldorf Astoria Hotel? If you are involved in reporting on security, as I am, you quickly learn that it is impossible to be too paranoid. Watch the documentary on Edward Snowden (Citizenfour) to see how paranoid someone who understands security can be. It just comes with the territory. In other words, no, the Obama administration is not being too paranoid. In fact, they should be just as paranoid when they stay in their new South Korean-owned venue, The Lotte New York Palace Hotel. You just never know.