Guest Wi-Fi Flaw Endangers Devices, Full Hotel Networks

Guests at hundreds of hotels around the world are susceptible to hackers because of routers that many hotel chains depend on for their Wi-Fi networks.

Researchers have discovered an authentication vulnerability in the firmware of several models of InnGate routers made by ANTlabs, a Singapore firm whose products are installed in hotels in the US, Europe and elsewhere.

An exploit could cause extensive damage. It would allow an attacker to distribute malware to guests, monitor and record data sent over the network (like credit card information). Also, the perpetrator could possibly gain access to the hotel’s reservation and keycard systems.

“If you’ve ever used Wi-Fi in a hotel, you’re familiar with these types of devices as they are typically tied to a specific room number for billing purposes,” said Cylance researcher Brian Wallace, in an advisory.

There’s also danger for the hotel itself. He added, “In some cases, we observed InnGate devices that were integrated into Property Management Systems (PMS). In cases where an InnGate device stores credentials to the PMS, an attacker could potentially gain full access to the PMS itself.”

As Wallace points out, the amount of information that can be compromised is rather breathtaking: PMS systems automate hotel functions like guest bookings, guest details, online reservations, point of sale, telephone, accounts receivable, sales and marketing, banquets, food and beverage costing, materials management, HR and payroll, maintenance management, quality management and other amenities.

Hotel property management systems may interface with central reservation systems and revenue or yield management systems, front office, back office, point of sale, door-locking, housekeeping optimization, pay-TV, energy management, payment card authorization and channel management systems.

The news gets worse. While a vulnerability that allows for full file-system access that can easily lead to a complete compromise of the system would logically need an advanced exploit, this unfortunately is not the case.

In actuality, any *nix system which has the rsync command available is capable of exploiting this vulnerability in just a few keystrokes.

“Remote access is obtained through an unauthenticated rsync daemon running on TCP 873,” said Wallace. “Once the attacker has connected to the rsync daemon, they are then able to read and write to the file system of the Linux-based operating system without restriction.”

He added, “Once full file system access is obtained, the endpoint is at the mercy of the attacker.”

Cylance uncovered vulnerable devices in 29 countries including the United States, Cuba, Australia and Italy. ANTLabs said that it is releasing a patch, which should be applied immediately. Wallace said that the vulnerability can also be mitigated by blocking the unauthenticated RSYNC process from internet access, a simple inbound TCP-DENY on port 873 on the upstream network device from the affected InnGate device.