A security researcher says that an Internet gateway used by hundreds of hotels to host and manage their guest WiFi networks has vulnerabilities that could compromise their guests’ personal information.
Etizaz Mohsin told TechCrunch that the Airangel HSMX Gateway contains hard-coded passwords that are “extremely easy to guess”. With these passwords, which we do not publish, an attacker could gain remote access to the settings and databases of the gateway, in which records of the WLAN use by the guest are stored. With this access, an attacker could access and exfiltrate guest records or reconfigure the gateway’s network settings to unwittingly redirect guests to malicious websites, he said.
As early as 2018, Mohsin discovered one of these gateways in the network of a hotel in which he was staying. He found that the gateway was syncing files over the internet from another server, which Mohsin said contained hundreds of gateway backup files from some of the most prestigious and expensive hotels in the world. The server also stored “millions” of guest names, email addresses, and arrival and departure dates, he said.
Mohsin reported the error and the server was secure, but that sparked a thought: Could this one gateway have other security flaws that could compromise hundreds of other hotels?
In the end, the security researcher found five vulnerabilities that he said could compromise the gateway – including information from guests. A screenshot he shared with TechCrunch showed the management interface of a hotel’s vulnerable gateway, showing the guest’s name, room number, and email address.
Mohsin reported the newly discovered bug memory to Airangel, but months passed and the UK-based network equipment maker has still not fixed the bugs. A representative told Mohsin that the company has stopped selling the device and has no longer been supported since 2018.
However, Mohsin said the device is still widely used in hotels, shopping malls and convention centers around the world. Internet scans show that there are more than 600 gateways accessible from the Internet alone, although the actual number of vulnerable devices is likely to be higher. Most of the hotels affected are in the UK, Germany, Russia and across the Middle East, he said.
“Given the access this chain of vulnerabilities gives attackers, there seems to be no limit to what they can do,” Mohsin told TechCrunch.
Mohsin presented his findings at the @Hack conference in Saudi Arabia last month. Airangel did not respond to a request for comment.