Hotel Check-in Kiosks Expose Guest Data, Room Keys
CVE-2024-37364 affects hospitality kiosks from Ariane Systems, which are used for self-check-in at more than 3,000 hotels worldwide.
June 7, 2024
A software vulnerability in Ariane Systems' kiosk platform allows attackers to access the personal data of hotel guests through check-in terminals equipped with the software.
Through a kiosk mode bypass flaw (CVE-2024-37364, CVSS 3.0 score 6.8) malicious actors could access locally stored reservations and invoices as well as personally identifiable information (PII), according to Pentagrid security researcher Martin Schobert, who discovered the vulnerability in March.
Vulnerable terminals running Ariane Allegro Scenario Player also potentially could be used to create room keys for other hotel rooms, as the ability to make RFID transponders used as keycards is also installed on the check-in terminals, he warned in a blog post this week.
The impact could be wide-ranging: On its website, Ariane claims to be "the world's leading provider of self-check-in and -out solutions for the hotel industry with more than 3,000 installations."
How the Ariane Hotel Check-In Exploit Works
The software enables guests to check in and book rooms at the hotel. Hotel guests can use it to search for existing reservations by entering their surname or a booking number.
However, if a single quote is entered when searching for a name, the application hangs.
"When touching the screen of the terminal again, the Windows operating system will ask the user if Windows should wait any longer or stop the task," Schobert wrote.
Exiting also ends the software's kiosk mode, giving the user access to the system's Windows desktop, with code-execution ability — and to the data stored there and the network.
“With the ability to inject and execute program code, it seems possible to get room keys created for other rooms because the functionality of provisioning RFID transponders is implemented in the terminal," he continued.
He noted an attacker needs physical access to a check-in terminal to carry out an attack, and depending on the threat actor's preparation, it does require some time at the terminal. That means incidents can be prevented with proper physical monitoring.
John Bambenek, president at Bambenek Consulting, recommends that these kiosks should always be in highly visible areas with antivirus surveillance, and says access to anything except the touchscreen should be inaccessible to the public.
"These devices probably cannot be completely isolated from the main hotel network as part of the point is to issue keys and handle room management," he notes. "However, the devices should be limited to sending only require machines and ports with everything else filtered."
Multiple Hospitality Risks, Access to Rooms
John Gallagher, vice president of Viakoo Labs at Viakoo, says providing unauthorized access to data contained within a hotel check-in terminal gives rise to multiple risks.
"These include knowing details on someone's stay, if a room is occupied or not, potential lateral movement to systems on the same network, and data capturing applications being put onto the kiosk," he explains.
He adds that if access to the kiosk can also provide access to the broader hotel network, it would provide the attacker with much more data.
"The situation I would be most concerned about is if I could see someone using the self-check-in terminal, then follow them in using it, crash the Ariane application, get access to the last guest's check-in information, print a new RFID card, then have access to that person's room," Gallagher explains.
Update Kiosk Software, Limit Access
Ariane told Pentagrid that the vulnerability had been fixed in a new version of the Allegro Scenario Player, and that the terminal examined by Schobert was a "legacy system."
However, according to the researcher, the manufacturer did not disclose the exact version in which the problem was patched.
According to Schobert, the system he investigated was an Ariane Duo 6000 series terminal. But Adam Neel, senior threat detection engineer at Critical Start, says hotel operators must ensure all check-in terminals are running the latest version of the Ariane Allegro Scenario Player to fully address the software flaw.
Meanwhile, Neel notes that in general, organizations should make sure that all Internet of things (IoT) devices are patched with the latest security updates — and often-overlooked area for IT teams.
Beyond regular patching, "implementing network isolation by placing terminals on a separate VLAN or network segment from critical systems is also crucial," he adds. "And finally, having an incident response plan in place is essential for quickly addressing any security breaches."
About the Author
You May Also Like