June 5, 2024 at 04:44PM
Ariane Systems’ self check-in systems at hotels globally are vulnerable to a kiosk mode bypass flaw, potentially allowing unauthorized access to guests’ personal information and room keys. Despite the researcher’s attempts to alert the vendor, a proper response is pending. Hotel operators are advised to isolate the vulnerable terminals and contact the vendor for a secure version.
Based on the meeting notes, the main takeaways are:
1. The Ariane Systems self-check-in terminals installed at numerous hotels worldwide have a serious vulnerability that allows unauthorized access to guests’ personal information and the keys for other rooms.
2. A security researcher discovered that the vulnerability allows bypassing the kiosk mode on the terminals, gaining access to the underlying Windows desktop and potentially compromising customer data.
3. Despite the researcher’s efforts to alert the vendor about the issue, there has been no proper response regarding a firmware version to address the vulnerability.
4. The vulnerability could allow attacks on hotel networks and access to sensitive information such as personally identifiable information (PII), reservations, and invoices.
5. The terminals are widely used in small to medium-sized establishments, including 3,000 hotels in 25 countries with over 500,000 rooms, and are utilized by a third of the world’s top 100 hotel chains.
6. It is currently unknown which version of the application fixes the problem, how many terminals are using a vulnerable version, and which hotel chains are impacted.
7. To mitigate the risk, hotel operators are advised to isolate the self-check-in machines from the hotel network, contact the vendor for information on running a secure version, and exercise caution while using the terminals.
These takeaways can be used for further action and communication within the organization and with relevant stakeholders.