It’s common to integrate technology to increase convenience in various industries. In the hospitality industry, self check-in kiosks are one of those devices that provide unparalleled convenience and efficiency. However, while these devices enhance guest experiences, they can introduce serious security vulnerabilities if not properly secured.
In a recent security incident, Ibis Budget hotels in Germany and other European countries faced issues with their self check-in kiosks. These kiosks, designed to streamline the check-in process, were found to be inadvertently displaying sensitive information, allowing anyone to potentially gain unauthorized access to guest rooms. The vulnerabilities in these kiosks could be exploited by bad actors, exposing room access codes, which could lead to other dangerous consequences.
Pentagrid, a Swiss IT security assessment firm, stated that many of these self check-in kiosks could have a critical security flaw that exposed keypad codes which could be used to enter rooms.The impacted kiosks enable guests checking in at the Ibis Budget hotel to access their rooms while no staff is available. The customer enters the booking ID, and the device displays the room number and door keypad code that can be used to enter the room.
The Ibis Budget brand is owned by French hospitality giant Accor. According to the company’s website, there are 600 Ibis Budget hotels across 20 countries. While Pentagrid hackers discovered a vulnerability in the self check-in terminal present at an Ibis Budget hotel in Germany, they believe the flaw likely impacted other hotels with the self check-in kiosks as well.
Pentagrid noticed that entering a series of dashes instead of the booking ID caused the kiosk to display a list of current bookings. Tapping on a booking revealed the room number and keypad access code, which, according to Pentagrid, remain constant throughout the customer's stay at the hotel.
Attackers can exploit this vulnerability in several ways.
Let’s look at it from a perspective beyond IT security. By accessing the exposed room access codes, an attacker can:
1. Physically enter guest rooms, posing a direct threat to personal safety and privacy.
2. Steal belongings from guests, leading to financial and emotional distress.
3. Manipulate the kiosk systems to gain further access to the hotel's network, potentially compromising additional systems and data.
If attackers gain access to the hotel's broader network, they can exploit other connected devices, such as security cameras, HVAC systems, and more. This interconnectedness means that a single vulnerability can cascade into a widespread security breach, affecting not just individual guests but the entire hotel infrastructure.
The dangers of ignoring security at the device level are vast and multifaceted. As this incident with hotel self check-in kiosks illustrates, the convenience brought by such devices can come at a significant cost if security is not prioritized. Beyond the hospitality industry, the implications are clear: neglecting device security can lead to severe vulnerabilities, opening the door to potentially devastating attacks. Is your entire network protected from potential cyber hackers?
Source: https://www.securityweek.com/hotel-self-check-in-kiosks-exposed-room-access-codes/