From Krakow with Access: A Casual Hotel Tablet Hack

A while ago, I got invited by a large corporation to visit their offices in Krakow. I got lucky since all the hotels were full, I had to go to a nicer one that still had rooms available (terrible, I know). My hotel room was slick, it had a mounted Android tablet that controlled the room.

It was some sort of digital concierge, with local recommendations and maps. Cool idea — but something about it just screamed: “Hack me.”

I mean, this thing was just sitting there, unlocked in every room, night after night, with a fresh set of guests touching it. And sure, it was in “kiosk mode” — but how secure could that really be?

Kiosk Mode 101 (a.k.a. Android Babysitting Mode)

For those unfamiliar: kiosk mode on Android is a lockdown mechanism, usually used on public-facing devices like info displays, check-in kiosks, or — apparently — hotel tablets. It restricts the tablet to a single app or a tightly controlled environment. No status bar, no back/home buttons, no multitasking, no app switching.

It can be set up via Android’s Screen Pinning (for light lockdowns), Lock Task Mode (for serious restrictions), or with custom device owner policies using Android Management APIs or third-party MDM software. Once it’s locked down, even turning off or rebooting the device is usually disabled — unless the vendor explicitly allows it.

But here’s the thing: no kiosk is perfect. There’s always some forgotten crack in the flow — and I was determined to find it.

First Step: Patience > Privilege Escalation

I poked around a bit but didn’t want to damage the hardware. There were no accessible buttons, ports were sealed in thick plastic, and the UI was tightly controlled. I couldn’t even reach the power menu. Holding the power button just… did nothing.

So I took the lazy approach. I unplugged the charger and left the tablet to die while I went out exploring the beautiful city of Krakow. When I came back that evening — sure enough — the screen was black. No power, no kiosk, no lock.

I pressed the power button. It booted.

Now, here’s the fun part: when you cold boot an Android tablet that’s locked into kiosk mode, there’s often a short time window — usually a few seconds (30 I believe) — before the kiosk app launches and takes over. In that moment, you can access the standard Android interface.

I was ready.

Second Step: The Factory Reset Gambit

As soon as the screen lit up, I furiously tapped through the settings menu like a caffeinated raccoon. I made it to Settings > System > Reset Options > Erase all data (factory reset) before the kiosk kicked back in.

Tablet goes dark. Boots up clean.

This was now a vanilla Android tablet. No kiosk mode. No restrictions. No hotel app. Just a blank slate, ready to be claimed.

Third Step: Remote Access, Just Because I Could

To see how far I could push it, I installed TeamViewer Host — a remote access tool that works great for unattended devices. I configured it to auto-start, linked it to my account, and granted it all the necessary permissions. Now I had remote control over the tablet, whenever I wanted, from anywhere in the world.

Hypothetically, I could’ve watched what future guests were doing. Maybe even ordered them some champagne through room service. (For the record: I did none of that. I was just proving a point.)

Still, the fact that a factory reset and a thirty-second window was all it took? That’s not great.

The Cleanup

Before I left, I restored the tablet to its original state (almost). Reinstalled the hotel’s app, re-enabled kiosk mode, and locked it back down like nothing ever happened. No trace, no weird error logs, nothing obvious unless someone went digging.

I reported it to the hotel directly, they had absolutely no idea what I was talking about or how to handle it.

Apparently, they didn’t expect anyone to think about battery drain as an attack vector. (Pro tip: if your device relies entirely on software security but reboots into a vulnerable state, it’s not secure.)

Lessons Learned (for Hotels and Curious Hackers Alike)

• Kiosk mode is not a silver bullet — especially if it doesn’t persist across a factory reset.
• Always assume guests will mess with tech, even if they’re not malicious.
• Physical access is root access, eventually.
• And yes, sometimes the best hacking tools are a dead battery and a nice long walk through Krakow.
• Cover up the camera of hotel tablets (cameras of all sorts in your room). They could access the camera as well.

Conclusion

I didn’t root the tablet. I didn’t install a backdoor. But I absolutely could have — and that’s the point.

When people hear “hacking”, they often picture deep technical wizardry or scenes from a Hollywood thriller. But in reality, it’s usually much simpler than that. This wasn’t some zero-day exploit — it was just a dead battery, a reboot, and a few seconds of opportunity.

Most real-world security lapses come down to the basics: overlooked defaults, bad assumptions, and a false sense of “no one would ever try that”. Whether it’s bypassing kiosk mode with a factory reset, getting past a guard by being friendly, or finding passwords on sticky notes or in the trash — it’s the low-hanging fruit that gets picked most often.

After all, there’s a reason weak passwords stay in the top 10: people still use them.

Anyway, thanks for sticking around. Love you, byeeeeeeee