Video Shows Hotel Security at DEF CON Joking About Posting Photos of Guests' Belongings to Snapchat

Caesars Palace told DEF CON attendees that hotel security room check only involved 'visual review,' but a video shows some security staff going further.

|
Aug 15 2018, 8:49pm

Image: Motherboard 

The first video clip is brief—less than a minute long—and shows two men in dark suits panning a smartphone camera around a multi-room suite at Caesars Palace in Las Vegas. The suite is outfitted with two folding tables with two computer monitors, turned on, on top of one of them. Around the room is networking equipment, wireless access points, and office paraphernalia that one of the men captures with his smartphone camera.

A second clip shows the two men entering an adjacent room where stacks of boxes are stored containing bulk supplies of alcoholic beverages, water, and other drinks.

As one of the men takes pictures of the beverages with his smartphone, his colleague laughs and says, "I kind of want to take a picture of this and put it on my Snap"—presumably meaning his private Snapchat account.

His friend laughs as well and says, "[To suggest] that we partied?"

"Fuck it. [I'll] do it," his colleague replies, and appears to hold his cell phone up to photograph the drinks.

The videos, which Motherboard viewed, were taken by surveillance cameras placed by guests who rented the suite to monitor their computers and other property. They were captured August 7, several days before most guests in town to attend the Black Hat and DEF CON security conferences would become aware that security employees at Caesars and other hotels on the Las Vegas strip were entering guest rooms to conduct walkthrough searches.

On August 12, the last day of DEF CON and following days of complaints by numerous guests staying at various hotels owned by Caesars Entertainment, the conglomerate released a statement saying the hotel had implemented a "room check" policy back in January at all of its hotels to conduct periodic walkthroughs after guests have declined maid service, regardless of Do Not Disturb signs posted on doors and regardless of whether guests are in a room or not. The policy was implemented in response to the shooting in Las Vegas last October when Stephen Paddock opened fire from his Mandalay Bay hotel room, killing 58 people at a country music festival and injuring hundreds of others. Paddock moved 24 guns and hundreds of rounds of ammunition into his hotel room over several days, while declining maid service to prevent employees from discovering the arsenal.

Caesars Entertainment said it had notified DEF CON organizers of the room search policy prior to the conference, which ran from last Thursday to Sunday, and that the checks "involve only a visual review of the bedroom, bathroom, and additional sitting area (if any) to ensure there are no issues which require further attention. Drawers, suitcases and other personal items are not inspected by our security officers who are clearly identifiable to guests."

But the room check captured on video suggests the walkthroughs are subject to abuse by hotel personnel who may use them as opportunity to snoop on guests or take and post images for amusement. And accounts of other searches that involved hotel security staff refusing to show ID or showing insufficient ID, and displaying bullying and threatening behavior to guests in occupied rooms, raises questions about the legality of the searches and the tactics and training of security personnel.

The suite in the videos was one of eight rooms booked by Queercon—a group that organizes events for members of the LGBTQ community, including meet-ups that run in concert with conferences. Jason Painter, president and head of operations for Queercon, said his group placed surveillance cameras in their operations and storage rooms in Caesars to monitor the computer equipment and alcohol they brought for the event.

Caesars Entertainment did not respond to a request for comment about the Queercon videos or ID issues.

After the hotel's security personnel did a walkthrough of the room and took flash pictures and video, the hotel reached out to his team to ask what they planned to do in the rooms. He said they met with security supervisors the same day, "and [after that] everything was copacetic and fine."

Painter had no plans to show the surveillance videos to anyone until Caesars' released its statement Monday claiming the room checks were only visual inspections.

"[T]hat is not what they were doing in any of the [Queercon] rooms," he told Motherboard. "They were recording, and taking photos, and those photos appeared to be on employee personal cell phones, not on corporate assets."

The comment about posting images to a worker's personal Snapchat account is "where I feel like it really crossed the line," Painter said. "[He's] not saying I'm going to send this to my supervisor, [he said] I'm going to send this to my friends."

Painter is working with DEF CON staff and Caesars to "come to an understanding" about why the searches of Queercon's rooms deviated from the hotel's stated description of its searches and doesn't want to post the videos until they get a clear statement from the hotel.

But there could be a legal problem around the audio portion of the Queercon videos, said Kurt Opsahl, deputy executive director and general counsel of the Electronic Frontier Foundation. Nevada's audio recording law prohibits “surreptitious” recording of conversations unless at least one party in the conversation gives consent; it also prohibits even disclosing "the existence, content, substance, purport, effect or meaning of any conversation so listened to, monitored or recorded, unless authorized to do so by one of the persons engaging in the conversation."

Painter said the surveillance cameras in the room—Ubiquiti UniFi video cameras—were not hidden, however. If this is the case, then it likely wouldn’t be deemed a “surreptitious” recording Opsahl said.

Separate to this, there is a question about the hotel's right to enter the protected space of a rented hotel room for security reasons if there is no actual suspicion of wrongdoing. Hotel rooms have Fourth Amendment protection against government searches - police can’t go in without a warrant. But this doesn’t apply to hotel owners. Opsahl said there is case precedent for hotel staff entering a room to conduct maintenance, check for damage, or act on a tip of potential criminal activity occurring in a room. “But I've seen no cases supporting an unfettered right to go in without any suspicion,” he said.

Nicholas Percoco, founder of SpiderLabs and a prominent member of the security community, noted in a tweet that when he checked into his room from a Caesars kiosk, a prompt appeared on screen encouraging him to go "green" and opt out of maid service, with restaurant credits offered as an incentive. This would suggest the hotel doesn't consider opting out of maid service a matter for suspicion.

Aside from the legal issues, the room searches have also raised serious concerns about the safety of guests—particularly because security personnel who attempted to gain entry to occupied rooms failed to show ID or showed improper ID.

Katie Moussouris, founder and CEO of Luta Security and a prominent member of the computer security and hacking communities, recounted her experience when two security personnel at Caesars Palace banged on her door to demand access. Moussouris called security on her room phone and said she spoke with a supervisor and asked him to give her the names of the two men outside her door so she could confirm they were hotel staff. But when she checked their IDs she saw that the photo was "rubbed off" one of the IDs.

"All I could see of his photo was a faded part of the very top of his bald head. There was no face. It could have easily been faked," she told Motherboard.

The name on the other person's ID did not match the name the supervisor gave her over the phone. He told Moussouris he was filling in for someone who was on a break.

I was also the recipient of an aggressive room check at the Bally's Las Vegas Hotel and Casino—a property of Caesars Entertainment—on August 9 and asked repeatedly for ID from the two men who appeared at my door. But instead of showing me ID, they simply pointed to the iron-on patches on the sleeves of their polo shirts that had the word "security" on them.

Moussouris said the hotel policy is creating a dangerous normal where people are conditioned to open their doors to anyone who says they're security, without verification. It's even more concerning since Bally's and Caesars don't require a key card to take the elevators up to rooms.

"The chances of an attack like what we saw on October 1 are far lower than the statistics of rape of women," she said. "You are training and conditioning women and other people to take people at face value outside the door and let them in the room with no authentication. You are going to see burglars, rapists and murderers taking advantage of this."

DEF CON's press representative did not respond to a request for comment over the weekend, but the conference sent out a tweet on Monday saying it was in talks with Caesars Entertainment to discuss the matter. "We expect a venue where our attendees are secure in their persons and effects, and a security policy that is codified, predictable and verifiable. Thank you for your patience while we work this out," the message said.

Asked again today for a comment, Def Con sent out a tweet saying it’s still in discussions with the hotel. “Please know we are not letting this go,” the statement said.

Opsahl said that searching the room of every guest who declines maid service is a classic case of trying to prevent a precise scenario that happened before from occurring again, instead of devising a solution that addresses the larger issue. The next shooter might leave his weapons in the car until the last moment before he commits his crime or conceal them somewhere else in the hotel outside of his room, bypassing the room checks.

"It is addressing a particular set of circumstances that happened under the old rules," Opsahl said. "And if the new rule is that if you have the Do Not Disturb sign that guarantees a visit from security, then someone who is trying to hide something from security is not going to use that method."

Riana Pfefferkorn, cryptography fellow at the Stanford Center for Internet and Society and a DEF CON attendee, had a similar take on the policy.

"The most American possible response is to decide that the problem isn't the guns, the problem is not enough invasion of privacy," she wrote in a tweet.