Hotel check-in terminal bug spews out access codes for guest rooms

A self-service check-in terminal used in a German Ibis budget hotel was found leaking hotel room keycodes, and the researcher behind the discovery claims the issue could potentially affect hotels around Europe.

The terminal’s security flaw could be abused by anyone, requiring no technical knowledge or specialized tooling. Realistically, an attacker could aggregate an array of room keycodes in just a few minutes – as long as it would take a regular customer to use the same machine to check in to their room.

Self-service check-in terminals can be used by hotel guests as an alternative to speaking with front desk staff, who sometimes aren’t available to serve. As well as allowing guests to check into their rooms, these terminals also offer the capability to search for information about existing bookings.

If, for example, a guest forgets their keycode, they can input their booking reference number and the terminal will present details about their booking, including their room code.

Martin Schobert at Swiss security firm Pentagrid discovered that an attacker could input a series of six consecutive dashes (——) in place of a booking reference number and the terminal would return an extensive list of room details.
瑞士安全公司Pentagrid的Martin Schobert发现,攻击者可以输入一系列连续六个破折号(——)来代替预订参考号,终端将返回大量房间详细信息列表。

“Any other sequence of dashes is accepted if it is long enough to enable the submit button,” he said. “Therefore, it is assumed that a variable length string is likely not a master code, but a bug or a not deactivated test function.”

Once the dashes were entered, the booking information displayed the cost of the booking and the valid room entry keycodes, along with the room number. It also included a timestamp, which the researchers assumed to be a check-in date – one that may indicate the length of a guest’s stay.

The issue was discovered accidentally while using a terminal in the Hamburg Altona Ibis Budget hotel after Schobert attended a cybersecurity convention in the city. He was able to retrieve the details of 87 bookings; the hotel offers 180 rooms. It’s not clear if the bug was limited to return less than the entire number of bookings, or if only 87 bookings were valid at that time.
该问题是在 Schobert 参加该市网络安全大会后,在使用汉堡阿尔托纳宜必思快捷酒店的终端时意外发现的。他能够检索到 87 个预订的详细信息;酒店提供180间客房。目前尚不清楚该错误是否仅限于返回少于全部预订数量,或者当时是否只有 87 个预订有效。

Even without the exploit using a series of dashes, Schobert said valid booking references could be found on discarded printouts, necessitating greater security controls embedded in the terminals.

It isn’t difficult to imagine the potential consequences of this issue falling into the wrong hands. Being able to retrieve keycodes can lead to thefts, of course, and an attacker being able to target rooms by price could lead them to single out the wealthiest guests for potentially the biggest rewards.

Away from just theft, there also exists the potential for abuse by stalkers and other creeps, jeopardizing the personal safety of guests.

It can all be carried out within seconds too, we’re told, and any attacker could do this without arousing suspicion from onlookers since it seems like normal user activity. Schobert published a video showing it happening in real time, to show how simple exploiting the bug was.
我们被告知,这一切都可以在几秒钟内完成,任何攻击者都可以在不引起旁观者怀疑的情况下做到这一点,因为这似乎是正常的用户活动。Schobert 发布了一段视频,展示了它实时发生的情况,以展示利用该漏洞是多么简单。

While Schobert said he doesn’t know for sure if it could be replicated at other sites, he said other hotels around Europe “are likely affected as well.”

It should be said, however, there’s no evidence to suggest this was actually exploited in the real world.

Accor Security, the security arm of Accor, which owns the Ibis Budget chain, tested the issue and was able to reproduce it so developed and deployed a software fix to all affected terminals in under a month.
拥有Ibis Budget连锁店的雅高(Accor)的安全部门雅高安全(Accor Security)测试了该问题,并能够重现该问题,因此在不到一个月的时间内开发并部署了所有受影响终端的软件修复程序。

The issue was first discovered on December 31, 2023, and was fixed on January 26, Pentagrid’s disclosure timeline showed.
Pentagrid 的披露时间表显示,该问题于 2023 年 12 月 31 日首次被发现,并于 1 月 26 日得到解决。

Accor was approached by El Reg for additional comment but it didn’t immediately respond.
El Reg 联系了雅高以寻求更多评论,但没有立即回应。

Hotel hell Hotel hell(地狱酒店)

It hasn’t been a great few weeks for hotel security. Two weeks ago we took a look at the vulnerabilities, together dubbed by researchers as “Unsaflok,” that saw around 3 million hotel doors vulnerable to unauthorized accesses.

Saflok MT and Saflok RT Plus are the two most commonly deployed models of keycard lock affected by the vulnerabilities, made by Swiss firm dormakaba.
Saflok MT 和 Saflok RT Plus 是受漏洞影响的两种最常部署的钥匙卡锁型号,由瑞士公司 dormakaba 制造。

Unlike the issues at Accor, these were trickier to exploit, but also not outside the realms of possibility. An attacker would need a valid or expired hotel keycard, and two blank ones that can be purchased online – one to reset the lock data and another to open it.

It could all be achieved using legal, freely available kit such as a Flipper Zero or an NFC-capable Android phone.
这一切都可以使用合法的、免费提供的套件来实现,例如 Flipper Zero 或支持 NFC 的 Android 手机。

As of two weeks ago, a fix was developed but it is taking a while to deploy worldwide – only 36 percent of locks were fixed at the time of writing.
截至两周前,已经开发出一个修复程序,但在全球范围内部署需要一段时间——在撰写本文时,只有 36% 的锁被修复。

We also reported earlier this week that Omni Hotels was experiencing some pretty major IT issues, which initially downed systems responsible for bookings, payments, and door locks, but is now again accepting reservations.
本周早些时候,我们还报道了 Omni Hotels 遇到了一些非常重大的 IT 问题,这些问题最初导致负责预订、付款和门锁的系统瘫痪,但现在再次接受预订。

As of Wednesday, the company’s phone lines were also down, reading a pre-recorded message referring to technical difficulties. At least the bars were still open across its sites, even if there was no Wi-Fi. ®

原文始发于Connor Jones:Hotel check-in terminal bug spews out access codes for guest rooms

版权声明:admin 发表于 2024年4月7日 下午9:05。
转载请注明:Hotel check-in terminal bug spews out access codes for guest rooms | CTF导航