Hotel Check-in Kiosks Expose Guest Data, Room Keys

  /     /     /  
Publicated : 23/11/2024   Category : security


Hotel Check-in Kiosks Expose Guest Data, Room Keys


CVE-2024-37364 affects hospitality kiosks from Ariane Systems, which are used for self-check-in at more than 3,000 hotels worldwide.



A software vulnerability in Ariane Systems kiosk platform allows attackers to access the personal data of hotel guests through check-in terminals equipped with the software.
Through a kiosk mode bypass flaw (
CVE-2024-37364
, CVSS 3.0 score 6.8) malicious actors could access locally stored reservations and invoices as well as personally identifiable information (PII), according to Pentagrid security researcher Martin Schobert, who discovered the vulnerability in March.
Vulnerable terminals running Ariane Allegro Scenario Player also potentially could be used to create room keys for other hotel rooms, as the ability to make RFID transponders used as keycards is also installed on the check-in terminals, he
warned in a blog post
this week.
The impact could be wide-ranging: On its website, Ariane claims to be the worlds leading provider of self-check-in and -out solutions for the hotel industry with more than 3,000 installations.
The software enables guests to check in and book rooms at the hotel. Hotel guests can use it to search for existing reservations by entering their surname or a booking number.
However, if a single quote is entered when searching for a name, the application hangs.
When touching the screen of the terminal again, the Windows operating system will ask the user if Windows should wait any longer or stop the task, Schobert wrote.
Exiting also ends the softwares kiosk mode, giving the user access to the systems Windows desktop, with code-execution ability — and to
the data stored there
and the network.
“With the ability to inject and execute program code, it seems possible to get room keys created for other rooms because the functionality of provisioning RFID transponders is implemented in the terminal, he continued.
He noted an attacker needs physical access to a check-in terminal to carry out an attack, and depending on the threat actors preparation, it does require some time at the terminal. That means incidents can be prevented with proper physical monitoring.
John Bambenek, president at Bambenek Consulting, recommends that these kiosks should always be in highly visible areas with antivirus surveillance, and says access to anything except the touchscreen should be inaccessible to the public.
These devices probably cannot be completely isolated from the main hotel network as part of the point is to
issue keys and handle room management
, he notes. However, the devices should be limited to sending only require machines and ports with everything else filtered.
John Gallagher, vice president of Viakoo Labs at Viakoo, says providing unauthorized access to data contained within a hotel check-in terminal gives rise to multiple risks.
These include knowing details on someones stay, if a room is occupied or not, potential lateral movement to
systems on the same network
, and data capturing applications being put onto the kiosk, he explains.
He adds that if access to the kiosk can also provide access to the broader hotel network, it would provide the attacker with much more data.
The situation I would be most concerned about is if I could see someone using the self-check-in terminal, then follow them in using it, crash the Ariane application, get access to the last guests check-in information, print a new RFID card, then have access to that persons room, Gallagher explains.
Ariane told Pentagrid that the vulnerability had been fixed in a new version of the Allegro Scenario Player, and that the terminal examined by Schobert was a legacy system.
However, according to the researcher, the manufacturer did not disclose the exact version in which the problem was patched.
According to Schobert, the system he investigated was an Ariane Duo 6000 series terminal. But Adam Neel, senior threat detection engineer at Critical Start, says hotel operators must ensure all check-in terminals are running the latest version of the Ariane Allegro Scenario Player to fully address the software flaw.
Meanwhile, Neel notes that in general, organizations should make sure that all Internet of things (IoT) devices are patched with the latest security updates — and often-overlooked area for IT teams.
Beyond regular patching, implementing network isolation by
placing terminals on a separate VLAN or network segment
from critical systems is also crucial, he adds. And finally, having an incident response plan in place is essential for quickly addressing any security breaches.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Hotel Check-in Kiosks Expose Guest Data, Room Keys