A security researcher claims that an internet gateway used by hundreds of hotels to provide and manage their guest’s Wi-Fi networks has vulnerabilities that could put their guest’s personal information at risk.
Etizaz Mohsin told TechCrunch that the Airangel HSMX Gateway contains hard-coded passwords that are “extremely easy to guess.” With these passwords, which we do not publish, an attacker could remotely access the settings and databases of the gateway, which store records on the guest using Wi-Fi. With this access, an attacker could accessing and exfiltrating guest records, or reconfiguring gateway network settings to unintentionally redirect guests to malicious web pages, he said.
In 2018, Mohsin discovered one of these gateways on the network of a hotel where he was staying. He discovered that the gateway was syncing files from another server on the Internet, which Mohsin said contained hundreds of gateway backup files from some of the most prestigious and expensive hotels in the world. The server also stored “millions” of guest names, email addresses, and arrival and departure dates, he said.
Mohsin reported the bug and the server was secured, but it sparked some thought: Could this gateway have other vulnerabilities that could endanger hundreds of other hotels?
Ultimately, the security researcher uncovered five vulnerabilities that he said could compromise the gateway, including guest information. A screenshot he shared with TechCrunch showed a hotel’s vulnerable gateway admin interface revealing the guest’s name, room number, and email address.
Mohsin reported the newly discovered flaw cache to Airangel, but months have passed and the UK-based networking equipment maker still hasn’t fixed the bugs. A representative told Mohsin that the company has not sold the device since 2018 and is no longer supported.
But Mohsin said the device is still widely used by hotels, shopping malls and convention centers around the world. Internet scans show that over 600 gateways can be accessed from the Internet alone, although the actual number of vulnerable devices is likely higher. Most of the affected hotels are in the UK, Germany, Russia and the Middle East, he said.
“Given the level of access that this chain of vulnerabilities provides to attackers, there is apparently no limit to what they can do,” Mohsin told TechCrunch.
Mohsin presented his findings at the @Hack conference in Saudi Arabia last month. Airangel did not respond to a request for comment.