Security Flaws Found in a Popular Guest Wi-Fi System Used in Hundreds of Hotels

A security researcher says an internet gateway used by hundreds of hotels to offer and manage their guest Wi-Fi networks has vulnerabilities that could put the personal information of their guests at risk. From a report: Etizaz Mohsin told TechCrunch that the Airangel HSMX Gateway contains hardcoded passwords that are "extremely easy to guess." With those passwords, which we are not publishing, an attacker could remotely gain access to the gateway's settings and databases, which store records about the guest's using the Wi-Fi. With that access, an attacker could access and exfiltrate guest records, or reconfigure the gateway's networking settings to unwittingly redirect guests to malicious webpages, he said. Back in 2018, Mohsin discovered one of these gateways on the network of a hotel where he was staying. He found that the gateway was synchronizing files from another server across the internet, which Mohsin said contained hundreds of gateway backup files from some of the most prestigious and expensive hotels in the world. The server also stored "millions" of guest names, email addresses and arrival and departure dates, he said. Mohsin reported the bug and the server was secured, but that sparked a thought: Could this one gateway have other vulnerabilities that could put hundreds of other hotels at risk? In the end, the security researcher found five vulnerabilities that he said could compromise the gateway -- including guests' information.

Re:

[genixia]

That won't save you. your personal information was already used to give you the right to login to their WIFI. Your choice to use it or not will have no bearing on your vulnerability there.

Re:

[WankerWeasel]

That's correct. All guests are automatically fed into this system so they CAN access the hotel wifi. Even if you choose not to use it, your details are still sync'd with the systems and still vulnerable. Even if you don't bring any connected devices with you, your data is still shared with that system.

Re: Always use your smartphone as a hotspot.

[simpz]

People always say don't use guest WiFi. This isn't 2010, what service are you using on your smartphone/laptop that isn't SSL? Should be fine now.

Oh, NO!

[jddj]

Say it ain't SO!

color me surprised

[jmccue]

If you are not using a VPN at a hotel, you are at risk anyway. So this is just a candle on the cake, it will not put you any mre at risk then you already are.

Re:color me surprised

[jonbryce]

If the vulnerability is your billing details, which presumably it uses to decide whether or not to allow access to the wifi, then a VPN isn't going to help.

Re:

[WankerWeasel]

Correct. Even if you're using VPN in a hotel with this issue, your billing details like name, date of stay, etc are all still vulnerable. VPN doesn't help in this case, as it's not about protecting your own traffic but rather the system you're connecting to.

Not traffic, Hotel's Database.

[DrYak]

This vulnerability isn't about your traffic being snooped in case YOU connect to it.

This vulnerability is about an attacker loggin into a hotel's gateway as an admin, and using that admin to dump the "users allowed to connect" database.

Even if YOU in particular didn't connect to the Wifi, because you're savvy and using a combination of your own smartphone in Wifi Access Point mode, with an extra layer of Tor on top for added obfuscation and never touch a Hotel Wifi, the hotel's reception desk would still ha

search the database for politicians names

[FeelGood314]

See who is violating lock downs and who is visiting their mistresses. More seriously why is this being stored and is it not breaking data storage laws? Every company I have worked at treats customer data like toxic waste. We create as little of it as possible and dispose of as much as we can as soon as we are done with it.

Re:

[PPH]

Not checking in to hotels using an alias? NGMI.

hourly hotels don't log guests

[Joe_Dragon]

hourly hotels don't log guests

just have an click through

[Joe_Dragon]

just have an click through with no user id / hotel room number.

Last time at MGM they had that and wifi was free for all

Usually I stick with

[wakeboarder]

my cell provider and use the hot spot. Less chance of things going wrong.

Re:

[PPH]

my cell provider

Are you certain that it's really your cell provider [slashdot.org] that you are dealing with? Cops aren't the only ones buying this tech.

Re:

[wakeboarder]

I don't do anything to get on the 'radar' of the police so I don't think they'd be targeting me with a stingray. If they did, they usually look for location and they'd know that I was at the hotel.

Re:

[PPH]

Lots of people other than the police have these. They're not looking for you to do illegal stuff. Just type in your banking details.

Not surprising

[dogsbreath]

Airangel inherited the HSMX gateway [airangel.com] when they bought "fdxtended". Since these security flaws were revealed they are recommending the HSMX devices be shut down and customers should move to the new product where they will be safe. That was them, not us; our stuff is good. In fairness, the gateway hit end of support a year ago so I guess you don't get what you don't pay for.

Like a lot of devices including most home gateways, these special purpose devices never undergo any external security audit. You ju

Shock!

[fluffernutter]

This is very surprising! All the hotel wifis I have used seemed so rock solid and stable!

Re: Shock!

[firecode]

I managed to hack one hotel wifi router, which just used default passwords.

The list of hardcoded passwords

[Surak_Prime]

In case you're interested, they are:
longing
rusted
seventeen
daybreak
furnace
nine
benign
homecoming
one
freight car

Re:

[Alumoi]

I'd have guessed 12345, but hey!

I'm shocked

[Anonymous Crowded]

The people that give you wifi on a non-coordinated set of routers wired up like a wet-wall of a victorian house and expect it to work at the other end of the building didn't plan for security.

Man, I gotta sit down.

admin / admin

[uufnord]

It's in the damn manual. On the internet. https://wiki.fdxtended.com/_me... [fdxtended.com]