 All right, so you guys having a good time so far? Good, well, we're actually half the way through Sunday right now We'll actually be switching formats after this talk and start going into the half-hour talks They're a little bit shorter obviously and a bit more fast-paced So I think this is the last of our hour talks that we got here We have Michael Wiley here who's speaking on you're not alone in your hotel room So please welcome him to the tour con stage All right, so I just found out about 10 minutes ago that the title of these this talk is a little bit creepy So maybe I should have thought about that But I thought around the the privacy concerns that we had around deaf con about a month or so ago This would be an interesting topic to talk on So I'm Michael Wiley and Recently the director of cyber security services at Richie Mae technology solutions up until now for last about 12 years I've run my own consulting firm in Los Angeles And it's a bit of a change now to to be an employee and work for someone else But so far it's been awesome, and I've been working on a lot of great projects This talk is I had some legal input on it So as the the deaf con concerns came around and people and security going into rooms I got the input of Dan Nelson and so he's an attorney in Colorado And so he helped with a couple of these slides and I'll call that out And I put his contact information towards the end You can absolutely reach out to him if you want more information since I'm obviously not an attorney I think he's a pretty interesting attorney to talk to especially in this space because He's one of the few attorneys that I've come across that understands privacy and information security So I know Mark rash is one of them that's out there and he makes a lot of blog posts and content around Privacy and cyber security, but then Dan's probably one of the only attorneys I know of that has a certified ethical hacker and a couple other security related certifications So about where to make technology solutions They've been around for about 30 years, but their cyber security information security programs come up for just in the last year So and that's why they brought me on board to help develop that and bring it up to speed Some of the disclaimer they obviously made me do this in the past I wouldn't have to but now we've got this on here that the information contained here in is general nature and based on the Guidance is that is subject to change the information is not intended to provide legal or the professional services And is provided solely for educational purposes the information provided should not be used as a substitute professional legal advice Future changes in law regulation may supersede some or all the topics in this article And that's what I did find was a lot of the content that we found Case law and other laws that came out. There's either not a whole lot out there quite yet around this talk Or they do change or they differ from state to state So we're first going to talk about some recent privacy concerns Then we're going to go into the host the hotel's right to enter your room if you're staying there The law enforcement's right to enter your room Gambling with some free wi-fi in the hotel We'll just briefly talk about that because I'm sure you all are experts in that area And then detecting intruders in physical access to your hotel rooms or air bnbs Then detecting cameras that might be present in your room or more specifically your air bnb room And then some counter surveillance techniques So this is where the talk really kind of came to light was I actually didn't attend def con this year. I had a bunch of business trips lined up But I was at b sides los vegas gave us talk there And all of a sudden I started seeing all aside from the the storm that hit vegas the day I left This was all over twitter and that people were saying warning caesar staff is performing random security checks And they were in certain cases coming in unannounced to other cases They were coming in with some announcement, but they were being a little aggressive with their security checks And so I've got a couple different tweets that I saw that got retweeted a lot on twitter But a lot of different situations and I think one of the more scary ones was a female was in her room And she was in the middle of changing and security came into their room. She claims without knocking So I first looked to the actual policy at that Well, these hotels have to have policies on what they can and can't do coming into your room So we should start there and with caesar's entertainment It was most interesting since they were in the light and we had these tweets about their their privacy and entering Their guest rooms, but they say we do not comment publicly on security related policies and procedures And so that was one email that came out from one of their spokespersons and that was in november of the year before I'm sure now that there was a big stink about their Entering rooms. They've come a little been a little bit more transparent with what their policies are But initially they said we're not going to comment on this after the the big shooting in vegas mgm was a little bit more transparent with what they were going to do and their policies And they essentially said that All mgm resort properties follow health and welfare checks operating procedures that stipulate welfare checks to be performed After two consecutive days where do not disturb signs have been displayed on the door and guests have not Interacted in person or by phone with housekeeping So a lot of these policies coming around because I'm seeing we all are pretty familiar with what happened in vegas and the big shooting And so they're trying to get more eyes and ears in the room And if you don't want housekeeping in there, then they're okay with that But they want to check on the room and make sure there's not a stockpile of ammunition Or explosives and if you think about how big some of these hotels are especially in los vegas Sometimes we're up to like 3 000 rooms and if you think a few people in those rooms It's a large target for some type of terror attack So on one side it's understandable that they would have some type of security to protect you myself or family That's visiting los vegas and trying to have a good time But there has to be some type of balance between the the privacy of the guests as well as the safety of them Hilton had a policy actually quite a long time ago And it says we understand respect our guests privacy The hotel deserves the right to visually inspect all rooms every 24 hours To ensure well-being of our guests and confirm the condition of the room and understandable They have a lot of money in these hotels as well. They don't want them damaged Disney had one for a while for quite some time They made a little bit of a change after the october shooting The hotel and staff reserve the right to enter your room for any purpose including but not limited to performing maintenance repairs Checks on the safety and security of our guests and property and after the october event What they did is they took out the do not disturb signs and they replaced them with Something that said like no cleaning service or no maid service needed So that way it wasn't giving a false impression that by putting that sign up of do not disturb or do not enter That wasn't going to always be the case. You're really just saying i'm i'm basically declining the housekeeping service in my room So those are the policies that they have for but i thought that's great that they have the policy But what if you get your your room checking card or your contract and you cross those things out? Is that legal? What about the law enforcement? Can they just let law enforcement come in because they see you have a soldering iron in your room? And they don't know what that is So this these are the slides that dan contributed to and gave me some insight on so he wrote these next few slides And unfortunately he couldn't join me here today So the fourth amendment protects guest rooms from unreasonable search and seizure And this is for law enforcement enforcement only this is not applied to the hotel and the security staff as well But the sole um, but this solely applies to government agencies such as the police and even then there are some exceptions Such as an emergency so if they see there was one case where there's blood outside the hotel room And they heard a big crash of glass and in those cases they were allowed to Enter the room because they thought there was some type of bodily harm in that case Also, the guests can consent So if if your husband or wife or someone else in the room and they consent to the police to enter They can come in without a warrant The fourth amendment also protects guests against registration information So uh one specific case that I thought was interesting in my hometown of los angeles Was the city came in and said well you the police are allowed to come in and look at registration information And there was another hotel that I think it was somewhere around san diego That it was a motel six and the police were the ice was asking for Information on guests and trying to correlate that with immigration information So there was two notable cases, but I like the one in los angeles since it's my hometown And they ultimately after it went up to circuit appellate courts. They came out and said that The even though the los angeles says that police can go in there and get registration information That if the hotel does not want to provide it, they don't have to give it out and it is protected by the fourth amendment So now the hotel's right and this is really what the the talks around What about caesars palace and entering some of the guests room even though they were there They said hey, we don't want someone coming in I saw one person posted a sign on their door and they said I do not give consent to have anyone search my room So I thought well does that is that valid? Can you supersede the contract that you sign when you check into the room? And so the fourth minute does not generally apply to hotels and non-government actors So there's no need for a warrant even if you tell them. I do not consent to you entering my room It's generally a state law since there's not a whole lot about this For a business and the contract between the business and someone coming in to stay less than 30 days So it generally goes down to the state law and as I mentioned this is going to vary by every state that you go to And the most interesting thing that I think dan brought up is that the primary difference between a landlord and tenant And I've got a couple rental properties. So I'm familiar with california and los angeles laws on that And you've got a lot different or different set of laws when you have longer than 30 day leases And so that's going to be a landlord and tenant or a tenancy But if you're staying less than 30 days in a hotel room, you're generally considered It's a less or less c relationship and there's a less c relationship So essentially it's similar to a parking garage If you go into a parking garage and you get that little ticket And it has a little contract on the back of the ticket that says they're not responsible for damage You can stay for less than 24 hours. You know, this is the rate. This is etc All that stuff that's generally going to be a less or lessy relationship as well And you can't supersede that contract by writing in your own piece of the contract or putting something on the door After the fact saying that I don't agree to a search in that case And so you have a lot less rights when it's a less or unless the relationship So tenants actually have a property interest in the the premises, but it's a lot less I'm sorry. The tenants have a higher degree of property interest Which means they have more rights to the property than if you will have a license to basically stay at the property like this hotel And so it's hard to to claim that you're a tenant if you do stay less than 30 days And so you're saying if you stay more than 30 days like it's an extended stay and you're there for two months Unless they make you recheck in and I know a lot of places will do this even for a car If you're renting a car every two weeks you have to go back in and Resign the license because they don't want it to be a tenant relationship. They want to keep it as a a licensee So is this me for you? So you is the the license or no or the sorry the license where is the hotel? We'll generally have the right to enter your room for legitimate reasons and I think they're pretty Broad and vague and so in this case they they can pretty much claim anything and come into your Your premises there so cleaning maintenance Guests so they could say the safety of someone next to you if they heard things going on in your room And it sounded like a gun loading Well, they can just come in because they assume that or they're trying to protect the safety of the guests next to you as well The hotel may be back May back this up with language in the the license agreement. So when you check into the hotel It may be directly on the actual contract. It could also be Referencing a link somewhere else. So sometimes when you sign one of those end user agreements It says for more information go visit their website, which is kind of ridiculous when you're checking in with a long line And such language is not essential to the hotel's right to enter So they don't even have to fully call it out. They have a right being the the building owner So some dos and dos from Dan the attorney Lock your room from the inside when you're present, right? So if you're inside there It's a little bit harder for them to come in and do those security checks There's obviously the locks on the doors But I know people that have actually come to this conference to give and talks about bypassing locks And obviously the keys have or the hotel has keys to everything So you can obviously use the locks on the hotel door, but there's a couple other techniques I'll give you that you can use your own locks or a little Techniques that you can basically barricade yourself in for a legitimate reason If you have the if you have personal items that you don't want searched and looked at The recommendation from Dan was put that in a suitcase with a lock It's generally a lot more difficult for the hotels to claim safety concerns to going into your items In that case, they may need to bring in law enforcement and have a warrant in those cases So anything you don't want them to look at when you leave the room lock it in a suitcase Don't do anything illegal obviously he's an attorney so he's going to put that in there And if you do something illegal then probably contact him and he can represent you So essentially there was a couple of things in Vegas that were happening as far as Some of the the guests were having soldering irons and I get that the soldering irons aren't illegal And they may not be a safety concern or security concern But you also have to think about it from the hotel's perspective And if you have someone that's that's I'm assuming is low paid coming into clean a room Or even maybe a security guard that's in high school or maybe college and they're trying that's an intermediary job They come in they see wires all over the place circuit boards and the soldering iron We understand what that that's probably is it might be just a badge But in their eyes after the october shooting that's a big concern for them all these wires and electrical things out there So just to save yourself if you have those items you may just want to put them away or tuck them in And they the hotel probably doesn't have a right to go through your things Especially if it's locked up. So that just gets you out of that that whole predicament altogether I'm really you're going to touch a whole lot on the the gambling with wi-fi I mean wi-fi anywhere. We just want to be careful with what we're using and what we're doing Obviously the wall of sheep at def con. There's tons of clear text data going across sometimes You don't even know what your computer or your mobile device is doing So it might be best to use a vpn or a hotspot from your phone The other interesting thing I do want to mention before moving on to the next slide is that Law enforcement can request permission to tap the hotel's wi-fi Or their their internet in general and long as the hotel agrees in those situations They don't need a warrant and so I have talked with fbi agents and certain cases when they were doing Child pornography cases. They've gone to hotel and say we suspect there's someone here Can we tap into your network and not only do they let them tap the network? They basically gave them usernames and passwords to everything whatever they wanted They didn't want to get involved They just said go ahead in our it clause that you can do whatever you want. You're the fbi So even if they don't have a warrant They still might be able to come in with the consent of the hotel and monitor what you're doing So in detecting intruders if you're in the room or even if you leave the room You might want to know if someone has been in there or they've come into your room So a couple different options You can buy these portable door alarms on amazon for under $20 And they they detect motion or vibration on the door So if someone ends up knocking really hard or Messing with the handle or opening the door. It'll sound an alarm This would work if you're in the bathroom Or you just want to know when someone's trying to get into your room But if you leave you're probably not going to know if that thing went off or not The interesting one is audio and video recording and there was a tweet that went out as far as the On twitter for the Caesar Caesar entertainment Circumstance and in those cases someone from I think queercon had a video recorder in their room And there's a little debate from privacy people of whether or not they should actually release the audio recording because Las Vegas or Nevada is a two-party consent state and so that audio recording may have been Violating state and or federal wiretapping laws. So there's a little concern about releasing some of those things But the consensus from dan, and I'm sure he's going to have all kinds of disclaimers saying this But when we talked on the phone last week He was saying well if you have a sign and you bring a sign that says this room We're doing audio and video recording and it's very visible and it's right in the front of the door It may be Implied consent by them entering in and starting to move around and talking It's almost like when you call Verizon or Dell or anyone any tech support and they say by Continuing the call we're going to be recording it for security or monitoring purposes And by staying on the phone call you are essentially consenting to that So he said that that could be it would be kind of a two different principles that you're budding up together And there's not enough laws or case law regarding this that that hasn't been tried and tested But that may be an option to have that with a visible sign saying you are doing audio and video recording in your room The other interesting one is something is it paper or my favorite let me pull this out Well, I thought it had a visible there But those little do not disturb signs that they've now replaced with no maid service If those you hang them on the door and sometimes when you quickly close that door They get stuck in the door jam a little bit. Well, I purposely sometimes actually do that So when I close that I'm sticking it in slightly and that way if someone else has entered my room Even with that signs on then it's no longer to be stuck in that door jam Assuming they didn't swing it too hard, but it may be just give me some indication that there has been an intruder in my room You can also take a picture when leaving your room This is a great one to see not if someone's come in but if they've messed with your things or they've touched your stuff You could take a photo with your your phone There's also some apps out there from I think it was an ex navy seal guy And he let you take a picture upload it and then you come back take a picture again And it'll show you certain items that have been moved or misplaced from your original picture So detecting cameras I think this applies more for an air bnb situation I'm an air bnb situation Um, there's been many cases where people have found hidden cameras in their room And I often are concerned about that when I go to an air bnb travel with my wife Uh, I I don't know the person's house. There's stuff all over the place It's not like a hotel that has reputation It could be some owner that wants to spy in the bedroom or the bathrooms And so it is a little bit of a concern to me So you can inspect private areas so bathroom bedrooms You can look around a lot of these different items now these hidden cameras are so small You can see the little holes here even a cell phone charger or a power adapter And there could be a hidden camera sitting inside there You can look for cables commercial tools that can help you So there's one on amazon for a little bit less than 300 dollars It's going to go around and look for electrical and other frequencies And it'll be able to tell you if there's something in the area The commercial tools that really will find all spectrums of wireless and electrical frequency are going to be a couple thousand dollars But you can get away with detecting most of the different frequencies for less than 300 dollars The other thing you could use is your phone's camera So if they're not buying special spy equipment and they've got ir sensors on the their ir lights on the cameras You can go around and just basically pull up your your cell phone camera And you can look around with it and if they use infrared lighting You will be able to see a little bit of a glow there and that might detect some of the cameras in those situations Airbnb has a policy as well that hosts must disclose cameras, but obviously that's not always going to be the case You're prohibited regardless of disclosing it to have it in bathrooms bedrooms and other private places And then they also prohibit you from doing counter surveillance So you as a guest if you go in there you're staying there like the hotel situation Where I said you might be able to get away with having an audio and video recording with a sign They say unless the third party consents to being audio or video recorded you as the guest cannot have a camera doing the recording So what else can you do here before I end? Um basic visual detection of light smoke detectors other things that if possible hidden cameras You go on amazon ebay look for hidden cameras and you can look for those type of items You can use your cell phone look for infrared You can use different The I think this is the the mac q anti spy hidden camera detector That's the one for under 300 dollars if you are familiar with different tools Or you have callie linux running once you get on the wireless network You can use something like nmap to do a network sweep I like net discover because it's going to do an ARP request And so if they have icmp disabled on any devices like a hidden camera This is going to go and look on ARP and there's not a whole lot of protections to protect against ARP So unless they segment their network, you're probably going to be able to see that and if it's an air bnb situation The unless they are someone in this room They're probably not going to set up the network where it's isolated and have different network for that and it's all hidden But even if it's hidden you can go out and use something like insider inss id er and you can look for hidden wireless networks as well There's an awesome tool that came out on github. It's called dropkick And so if you run this on a network in an air bnb situation It's supposed to go look for certain models popular models of of cameras And then it'll go ahead and actually do a denial of service on them and try and get them off the network if it finds it A few apps you can get spy hidden camera detector for ios Hidden camera detector for android net analyzer. There's a whole lot out there, but those were a couple popular ones And then one piece I want to go back and point out now. I have a couple more seconds on this Is the other piece that you can do Is this is the my actual hotel room Here at the west end and this big piece at the top of the door You can wrap something like a rope or a belt around and it'll prevent someone from getting in So even if they have the key or they have bypass tools to go ahead and open up that little slider or the whatever type of tool They have there If you put something around that top piece there that's supposed to have the door slowly closed A lot of times you can actually stop someone from getting in or most of the way in in those cases If you don't have those do not disturb signs You can go ahead and put just a piece of paper on the door jam and obviously if it fell out or it's somewhere on the ground You know someone's coming into your room And then I thought this one was pretty creative as well Because I wanted to have something that if you forgot your tools at home You might want to still do intrusion detection or lock your door You can use a fork from the hotel lobby if they have a Restaurant or you can go to some other place and buy a fork if you really forgot all your tools here And you can cut the fork in half or you can bend it and break it You put the you bend the tips of the end of the fork It goes into the actual part that the the lock goes into And then you've got the the long piece of the fork going across the door jam And it'll prevent someone from opening the door and it's pretty sturdy at that case I've tried this once so a couple different techniques You can buy a couple of products to protect yourself or you can even use some free tools to Protect yourself obviously not barricade yourself in a bad situation But if there was security pounding on your door not identifying themselves And you were concerned for your own safety until the police got there you could barricade yourself in and protect yourself So that's it for my slide. I know they said it was the last of the the hour talks But this was uh, at least in my schedule a 20 minute one and uh, I'm available for any questions Yes States Yeah, from from my understanding they would need more of a warrant for that situation But there's also they there's certain situations they could evict you very easily since you are not a tenant But you're you're lessy And so they may be able to say we evicted you now we can go into those But generally things are when they're locked. They don't have the right to go into those things Again, generally there's a lot of like what ifs and a lot of this hasn't been tested out or a lot of cases that have been around this But the general consensus is if it's locked. They don't have the right What's that With like the hotel safe versus if you brought your own safe in I wouldn't know on that one. That would be a question for for dan on where the the lines drawn on those pieces Yeah, and they do they do have um Certain keys a lot of times though. I've actually lost my key where I forgot the code for it or My wife likes to put certain codes But uh, she doesn't use the us way of doing the year the month and the date And so it's backwards and I lock ourselves out of that thing And so I have had the hotel trying to come in and it's not as easy as I thought In some situations when they've they've went to go open it up for us They have to get a specialist or they say oh, we have to call the safe guy to come in And it's been anywhere from 30 minutes to a couple of hours for them to unlock the safe for us Any other questions? Yes Yeah, I mean that's the the difficult part with a an airbnb situation is that Um, they're really the people you go to you could potentially try and call the police and say they're spying on you But really the the place to go is going to be airbnb And it's going to kind of be up to how they're going to handle that situation So their policy that I read on the camera said that the disclosure of the cameras Even outside the property need to be in the listing So when you actually look and you're interested before you even click go ahead and buy and then maybe they email it to you in the background It has to be on the the page that they're actually advertising So in those cases Yeah But that's it. I've got another talk coming up if you're interested and then otherwise after both these I'll be around in the The lobby and we can we can go ahead and talk after that. Thank you very much I was a little worried when they said the uh 50 minutes