Guests at hundreds of hotels around the world are susceptible to serious hacks because of routers that many hotel chains depend on for their Wi-Fi networks. Researchers have discovered a vulnerability in the systems, which would allow an attacker to distribute malware to guests, monitor and record data sent over the network, and even possibly gain access to the hotel's reservation and keycard systems.

The security hole involves an authentication vulnerability in the firmware of several models of InnGate routers made by ANTlabs, a Singapore firm whose products are installed in hotels in the US, Europe and elsewhere.

The vulnerability, which was discovered by the security firm Cylance, gives attackers direct access to the root file system of the ANTlabs devices and would allow them to copy configuration and other files from the devices' file system or, more significantly, write any other file to them, including ones that could be used to infect the computers of Wi-Fi users.

The researchers found 277 of the devices in 29 countries that are accessible over the internet, though there may be many others that they weren't able to uncover over the internet because they're protected behind a firewall. Devices behind a firewall, however, would still presumably be vulnerable to the same malicious activity by anyone who gets on the hotel's network.

Of the 277 vulnerable devices accessible over the internet, the researchers found more than 100 of them were at locations in the US. But they also found 35 vulnerable systems in Singapore, 16 in the UK, and 11 in the United Arab Emirates.

The researchers uncovered vulnerable systems at hotels belonging to eight of the world’s top 10 hotel chains.

The vulnerable systems were found primarily at hotel chains, but the researchers also found some convention centers with internet-accessible vulnerable routers. They also found that a top data center company uses an InnGate device to manage guest Wi-Fi at several of its locations in the Asia Pacific.

The InnGate devices function as a gateway for hotels and convention centers to provide guests with internet access. But Justin Clarke, a researcher with Cylance's new SPEAR (Sophisticated Penetration Exploitation and Research) team, says the devices are often also connected to a hotel's property management system, the core software that runs reservation systems and maintains data profiles about guests. Clarke says they found a number of hotels where the InnGate was configured to communicate with a PMS. This presents additional security risks in itself, allowing an attacker to potentially identify guests and upcoming guests at a hotel and learn their room number. But PMSes are often, in turn, integrated with a hotel's phone system, point-of-sale system for processing credit card transactions, and the electronic keycard system that controls access to guest rooms. This would potentially give an attacker a gateway to access and exploit these systems as well.

"In cases where an InnGate device stores credentials to the PMS [property management system], an attacker could potentially gain full access to the PMS itself," the researchers write in a blog post published today, which they shared with WIRED in advance.

The property management systems that were used in the vulnerable hotels Cylance examined include ones made by Micros Fidelio, FCS, Galaxy, and Prologic.

Oracle purchased Micros Fidelio last year and now markets its PMS as the Opera Property Management System. According to Oracle's web site, the Opera PMS "provides all the tools a hotel staff needs for doing their day-to-day jobs—handling reservations, checking guests in and out, assigning rooms and managing room inventory, accommodating the needs of in-house guests, and handling accounting and billing." But, the site notes, the system also includes interfaces to connect the PMS to "hundreds of third-party hospitality systems" including telephone and electronic switching and key lock systems.

One of the most famous cases of subverting a hotel’s electronic key system resulted in the assassination of a Hamas official in Dubai in 2011.

Gaining access to a guest room through a compromised key lock system wouldn't just be of interest to thieves. One of the most famous cases involving the subversion of a hotel's electronic key system resulted in the assassination of a high-ranking Hamas official in a Dubai hotel in 2011. In that case the assassins, believed to be Israeli Mossad agents, reprogrammed the electronic lock on their victim's hotel room door to gain entry while he was out of the room and lie in wait for him to return. It's not known exactly how the attackers compromised that key system.

How the Hotel Vuln Works

The vulnerability lies in an unauthenticated rsync daemon used by the ANTlabs devices. The Rsync daemon is a tool often used to backup systems since it can be set up to automatically copy files or new parts of files from one location to another. Although the daemon can be password-protected, the ANTlabs device that uses it requires no authentication.

As a result, once an attacker has connected to the rsync daemon, "they are then able to read and write to the file system of the Linux based operating system without restriction," the researchers write in their blog post. "Given the level of access that this vulnerability offers to attackers, there is seemingly no limit to what they could do… Once full file system access is obtained, the endpoint is at the mercy of the attacker."

The vulnerability requires little sophistication to exploit at its most basic level to infect users with malware or sniff unencrypted traffic. But "a slightly more sophisticated attacker," they note, "could use a tool such as SSLStrip in order to attempt to downgrade the transport layer encryption in order to increase the amount of plaintext credentials gathered."

Clarke discovered the vulnerable systems by accident one night. While taking a break from another project he was working on, he glanced at the results of an internet-wide scan his company had conducted using a new script to look for rsync routers. Among the IP addresses the scan uncovered was one pointing to an ANTlabs device. Curious about what it was, Clarke ran a command to see if he could view the file directory and discovered that he could access the entire file system and write to it. A subsequent scan of the internet uncovered more than 100 other ANTLabs systems, all similarly open and vulnerable.

His team eventually uncovered vulnerable systems at hotels belonging to eight of the world's top 10 hotel chains. Cylance won't name the companies, but many lists ranking the world's top hotel chains can be found online and generally include the following: Intercontinental Hotel Group, Marriott, Hilton, Wyndham Hotel Group, Choice Hotel International, Accor, Starwood Hotels and Resorts, Best Western, Shanghai Jin Jiang International Hotels, and Home Inns, an economy chain based in China.

"In the case of eight of the top 10 hotel chains, we have verified that at least one of their hotels is running a vulnerable device," says Clarke, though he notes they found no instance where every hotel in a chain was vulnerable and accessible via the internet. He assumes this means that hotel chains generally use different network router brands at each of their hotel sites or that they have them configured securely in some cases behind a firewall, making them invisible to an internet scan.

The discovery of the vulnerable systems was particularly interesting to them in light of an active hotel hacking campaign uncovered last year by researchers at Kaspersky Lab. In that campaign, which Kaspersky dubbed DarkHotel, the attackers conducted a surgical strike against specific guests staying at five-star hotels in Asia and the US by subverting the guest Wi-Fi system.

When victims attempted to connect to the Wi-Fi network, they got a pop-up alert telling them their Adobe Flash player needed an update, and offering them a file to download that contained malicious code. Kaspersky never learned how the attackers got onto the hotel servers to serve up their malware. Although they appeared to have ongoing persistent access to the networks—the attacks would occur in spurts with the attackers gaining access to install their malware on a network at a particular time, then erasing all evidence and leaving after the targeted victims had been hit—there were no signs of a backdoor found on the hotel networks that would have given them ongoing access.

The Cylance researchers don't know if the hotels targeted in the DarkHotel attack are the same ones they found using vulnerable InnGate systems, but the vulnerability they uncovered could be used to conduct this kind of attack.

The researchers have contacted a number of the hotels they were able to identify as using a vulnerable InnGate device, and also reported their findings to ANTlabs and the US Computer Emergency Readiness Team. ANTlabs has produced a patch, which it is releasing today in conjunction with an alert about the vulnerability being issued by US-CERT.