Hotel Check-in Kiosks Expose Guest Data, Room Keys

Hotel Check-in Kiosks Expose Guest Data, Room Keys

June 7, 2024 at 12:59PM

A software vulnerability in Ariane Systems’ kiosk platform (CVE-2024-37364, CVSS 3.0 score 6.8) allows attackers to access hotel guests’ personal data stored in check-in terminals. The exploit bypasses kiosk mode, enabling access to reservations, invoices, PII, and the ability to create room keys. The manufacturer has released a fix, emphasizing the importance of regular patching and network isolation for IoT devices.

The meeting notes comprise a detailed discussion about a software vulnerability in Ariane Systems’ kiosk platform, allowing attackers to access the personal data of hotel guests. The vulnerability involves a bypass flaw in kiosk mode, potentially enabling malicious actors to access locally stored reservations, invoices, and personally identifiable information (PII), along with the ability to create room keys for other hotel rooms.

The impact of this exploit could be extensive, given Ariane’s claim as a leading provider of self-check-in and -out solutions for the hotel industry with over 3,000 installations worldwide. The meeting also noted various security experts’ recommendations for preventing and addressing such vulnerabilities, including physical monitoring, antivirus surveillance, limiting access to only required machines and ports, and updating kiosk software to the latest version to address the software flaw.

The notes also highlighted the potential risks and consequences of unauthorized access to hotel check-in terminals, such as lateral movement to systems on the same network, data capturing applications being put onto the kiosk, and potential access to the broader hotel network. Additionally, it was mentioned that the manufacturer claimed to have fixed the vulnerability in a new version of the Allegro Scenario Player and recommended that hotel operators ensure all check-in terminals are running the latest version to fully address the software flaw. Furthermore, it was emphasized that organizations should regularly patch IoT devices and implement network isolation, in addition to having an incident response plan in place for addressing any security breaches promptly.

Overall, the meeting notes provide a comprehensive overview of the software vulnerability in Ariane Systems’ kiosk platform and the necessary steps to address and prevent such exploits.

Full Article