Some major hotel wifi networks are real sieves
Researchers from security company Cylance have discovered that some internet gateways currently used by hotels and conference centres were real sieves. In fact, malicious users could easily launch various types of attack on customers accessing the wifi networks of these establishments, Le Monde Informatique reports. According to the researchers, the equipment concerned, which is used to manage visitor networks in both budget hotels and luxury hotels throughout the world are made by a company called ANTlabs. On several ANTLabs InnGate models the rsync service is wrongly configured: it listens on TCP port 873 and allows non-authenticated attackers full read-write access to the equipment’s file system.
Rsync is a utility used to synchronise the files and directories between Linux systems, and it thus comprises download and file copying functions. The tool takes charge of authentication and can be limited to specific directories. However, on the ANTLabs InnGate equipment concerned, it has been configured insecurely by default. “When an attacker gains full read and write access to a Linux file system, it’s trivial to then turn that into remote code execution”, Cylance researcher Brian Wallace states in a blog post. “The attacker could upload a backdoored version of nearly any executable on the system and then gain execution control, or simply add an additional user with root level access and a password known to the attacker. Once full file system access is obtained, the endpoint is at the mercy of the attacker.” Last Thursday ANTlabs supplied patches to repair the fault, which has the reference CVE-2015-0932. Patches are available for the following models: IG 3100 and 3101, InnGate 3.00 E-Series, 3.01 E-Series, 3.02 E-Series and 3.10 E-Series and InnGate 3.01 G-Series and 3.10 G-Series.
The hotel’s activities are also compromised
Hotel networks are a good target for so-called hackers. In November 2014 Kaspersky Lab researchers warned of the activity of a group of cyber spies baptised DarkHotel. The group infiltrated the networks of several luxury hotels to target company bosses and entrepreneurs travelling in the Asia-Pacific region. The InnGate vulnerability could allow hackers to launch attacks against the wifi networks for use by hotel customers, like those carried out by the DarkHotel group. If this were so, the attackers could monitor traffic to steal sensitive information: they could replace the files that users were downloading from the internet on the fly with malicious files; they could eliminate SSL encryption or reduce security and much more. “Given the level of access that this vulnerability offers to attackers, there is seemingly no limit to what they could do”, Wallace writes.
In some instances the fault doesn’t only expose customers, but all of the hotel’s activities too. Cylance’s researchers mention environments in which InnGate equipment has been integrated into PMS systems used to manage several aspects of hotel operations, such as reservations, sales, planning, personnel, payroll, maintenance, inventory management and so on. Cylance has identified 277 InnGate items of equipment that can be attacked straight from the internet in 29 countries, with the greatest number of exposed gateways in the USA. “Listing those vulnerable devices at this time would be irresponsible and could result in a compromise of those networks,” Wallace stated. “Take it from us that this issue affects hotels brands all up and down the spectrum of cost, from places we’ve never heard of to places that cost more per night than most apartments cost to rent for a month.”