Guest Wi-Fi Flaw Endangers Devices, Full Hotel Networks

Guests at hundreds of hotels around the world are susceptible to hackers because of routers that many hotel chains depend on for their Wi-Fi networks.

Researchers have discovered an authentication vulnerability in the firmware of several models of InnGate routers made by ANTlabs, a Singapore firm whose products are installed in hotels in the US, Europe and elsewhere.

An exploit could cause extensive damage. It would allow an attacker to distribute malware to guests, monitor and record data sent over the network (like credit card information). Also, the perpetrator could possibly gain access to the hotel’s reservation and keycard systems.

“If you’ve ever used Wi-Fi in a hotel, you’re familiar with these types of devices as they are typically tied to a specific room number for billing purposes,” said Cylance researcher Brian Wallace, in an advisory.

There’s also danger for the hotel itself. He added, “In some cases, we observed InnGate devices that were integrated into Property Management Systems (PMS). In cases where an InnGate device stores credentials to the PMS, an attacker could potentially gain full access to the PMS itself.” This might be the reason why businesses like cafes and restaurants prefer signing up for specialized guest wifi services from providers like Hownd or the ones like them. They can set up access points that can create a separate guest WiFi network. It can provide a more curated WiFi experience for guests and enhance the security of the business network. The access points may also function as guest wifi marketing tools for the business by offering free Wi-Fi. Whenever a guest accesses the free wifi, the hotel can collect their email address and send them personalized offers to encourage them to return.

That said, Wallace also points out that the amount of information that can be compromised is rather breathtaking: PMS systems automate hotel functions like guest bookings, guest details, online reservations, point of sale, telephone, accounts receivable, sales and marketing, banquets, food and beverage costing, materials management, HR and payroll, maintenance management, quality management and other amenities. It can naturally be said that such an extensive system requires an immense amount of bandwidth, and so a wifi assessment may often be used to determine the layout of such a vast network connecting a plethora of devices across the hotel’s structure. With this in mind, the most crucial step becomes the security of this network as well as the systems/devices connected to it.

Hotel property management systems may interface with central reservation systems and revenue or yield management systems, front office, back office, point of sale, door-locking, housekeeping optimization, pay-TV, energy management, payment card authorization and channel management systems.

The news gets worse. While a vulnerability that allows for full file-system access that can easily lead to a complete compromise of the system would logically need an advanced exploit, this unfortunately is not the case.

In actuality, any *nix system which has the rsync command available is capable of exploiting this vulnerability in just a few keystrokes.

“Remote access is obtained through an unauthenticated rsync daemon running on TCP 873,” said Wallace. “Once the attacker has connected to the rsync daemon, they are then able to read and write to the file system of the Linux-based operating system without restriction.”

He added, “Once full file system access is obtained, the endpoint is at the mercy of the attacker.”

Cylance uncovered vulnerable devices in 29 countries including the United States, Cuba, Australia and Italy. ANTLabs said that it is releasing a patch, which should be applied immediately. Wallace said that the vulnerability can also be mitigated by blocking the unauthenticated RSYNC process from internet access, a simple inbound TCP-DENY on port 873 on the upstream network device from the affected InnGate device.