GUESTS AT HUNDREDS of hotels around the world are susceptible to serious hacks because of routers that many hotel chains depend on for their Wi-Fi networks. Researchers have discovered a vulnerability in the systems, which would allow an attacker to distribute malware to guests, monitor and record data sent over the network, and even possibly gain access to the hotel’s reservation and keycard systems.
The security hole involves an authentication vulnerability in the firmware of several models of InnGate routers made by ANTlabs, a Singapore firm whose products are installed in hotels in the US, Europe and elsewhere.
The vulnerability, which was discovered by the security firm Cylance, gives attackers direct access to the root file system of the ANTlabs devices and would allow them to copy configuration and other files from the devices’ file system or, more significantly, write any other file to them, including ones that could be used to infect the computers of Wi-Fi users.
The researchers found 277 of the devices in 29 countries that are accessible over the internet, though there may be many others that they weren’t able to uncover over the internet because they’re protected behind a firewall. Devices behind a firewall, however, would still presumably be vulnerable to the same malicious activity by anyone who gets on the hotel’s network.
Of the 277 vulnerable devices accessible over the internet, the researchers found more than 100 of them were at locations in the US. But they also found 35 vulnerable systems in Singapore, 16 in the UK, and 11 in the United Arab Emirates.
The vulnerable systems were found primarily at hotel chains, but the researchers also found some convention centers with internet-accessible vulnerable routers. They also found that a top data center company uses an InnGate device to manage guest Wi-Fi at several of its locations in the Asia Pacific.
The InnGate devices function as a gateway for hotels and convention centers to provide guests with internet access. But Justin Clarke, a researcher with Cylance’s new SPEAR (Sophisticated Penetration Exploitation and Research) team, says the devices are often also connected to a hotel’s property management system, the core software that runs reservation systems and maintains data profiles about guests. Clarke says they found a number of hotels where the InnGate was configured to communicate with a PMS. This presents additional security risks in itself, allowing an attacker to potentially identify guests and upcoming guests at a hotel and learn their room number. But PMSes are often, in turn, integrated with a hotel’s phone system, point-of-sale system for processing credit card transactions, and the electronic keycard system that controls access to guest rooms. This would potentially give an attacker a gateway to access and exploit these systems as well.
“In cases where an InnGate device stores credentials to the PMS [property management system], an attacker could potentially gain full access to the PMS itself,” the researchers write in a blog post published today, which they shared with WIRED in advance.
The property management systems that were used in the vulnerable hotels Cylance examined include ones made by Micros Fidelio, FCS, Galaxy, and Prologic.
Oracle purchased Micros Fidelio last year and now markets its PMS as the Opera Property Management System. According to Oracle’s web site, the Opera PMS “provides all the tools a hotel staff needs for doing their day-to-day jobs—handling reservations, checking guests in and out, assigning rooms and managing room inventory, accommodating the needs of in-house guests, and handling accounting and billing.” But, the site notes, the system also includes interfaces to connect the PMS to “hundreds of third-party hospitality systems” including telephone and electronic switching and key lock systems.
Gaining access to a guest room through a compromised key lock system wouldn’t just be of interest to thieves. One of the most famous cases involving the subversion of a hotel’s electronic key system resulted in the assassination of a high-ranking Hamas official in a Dubai hotel in 2011. In that case the assassins, believed to be Israeli Mossad agents, reprogrammed the electronic lock on their victim’s hotel room door to gain entry while he was out of the room and lie in wait for him to return. It’s not known exactly how the attackers compromised that key system.
How the Hotel Vuln Works
The vulnerability lies in an unauthenticated rsync daemon used by the ANTlabs devices. The Rsync daemon is a tool often used to backup systems since it can be set up to automatically copy files or new parts of files from one location to another. Although the daemon can be password-protected, the ANTlabs device that uses it requires no authentication.
As a result, once an attacker has connected to the rsync daemon, “they are then able to read and write to the file system of the Linux based operating system without restriction,” the researchers write in their blog post. “Given the level of access that this vulnerability offers to attackers, there is seemingly no limit to what they could do… Once full file system access is obtained, the endpoint is at the mercy of the attacker.”