New has recently broke that business travelers at hundreds of hotels have been unwittingly putting their digital security at risk, due largely to the reliance of some hotel chains on routers that have vulnerabilities in surprisingly significant ways. Researchers from the security firm Cylance discovered an attacker may distribute malware to guests; monitor and record data over hotel networks, or most chillingly gain access to a hotel’s keycard systems.
This flaw in security stems allegedly from authentication vulnerability in the firmware of routers made by ANTlabs, a Singapore firm with their products already installed in hotels in the US, Europe and beyond. Cylance security operatives were able to gain direct access to the root file system of ANTlabs devices, allowing them to copy configuration files from the device file system and to write any other file to them, including malware scripts that could be used to infect the computers of Wi-Fi users who logged into these networks.
Researchers announced 277 of the devices in 29 countries are accessible over the internet, along with many more they weren’t able to uncover over the internet because they’re protected behind a firewall – though that would not enhance the security of hotel guests if a hacker was logged into the hotel WiFi network locally.
Justin Clarke, a researcher with Cylance’s new SPEAR (Sophisticated Penetration Exploitation and Research) team, said the devices are often also connected to a hotel’s property management system – serving as the core software that runs reservation systems and maintains guest data profiles. “In cases where an InnGate device stores credentials to the PMS [property management system], an attacker could potentially gain full access to the PMS itself,” explained researchers in a blog post published about the incident.
Beyond the risks to nefarious groups of civilians and hackers who want access to credit cards or other sensitive financial data, these flaws in security also represent another way for governmental agencies to track people and constrain travel. In fact, one of the most famous cases of subverting a hotel’s electronic key system resulted in the assassination of a Hamas official in Dubai during 2011. In that case assassins, believed to be Israeli Mossad agents, reprogrammed the door lock of his hotel room and while it still is not known exactly how the attackers compromised that key system – this news of rampant vulnerability across hotel WiFi networks shows plainly that hotel security on a digital level needs to be amped up quite a bit if guests are ever to feel secure in their sleep.