A security researcher says an internet gateway used by hundreds of hotels to offer and manage their guest Wi-Fi networks has vulnerabilities that could put the personal information of their guests at risk.
Etizaz Mohsin told TechCrunch that the Airangel HSMX Gateway contains hardcoded passwords that are “extremely easy to guess.” With those passwords, which we are not publishing, an attacker could remotely gain access to the gateway’s settings and databases, which store records about the guest’s using the Wi-Fi. With that access, an attacker could access and exfiltrate guest records, or reconfigure the gateway’s networking settings to unwittingly redirect guests to malicious webpages, he said.
Back in 2018, Mohsin discovered one of these gateways on the network of a hotel where he was staying. He found that the gateway was synchronizing files from another server across the internet, which Mohsin said contained hundreds of gateway backup files from some of the most prestigious and expensive hotels in the world. The server also stored “millions” of guest names, email addresses and arrival and departure dates, he said.
Mohsin reported the bug and the server was secured, but that sparked a thought: Could this one gateway have other vulnerabilities that could put hundreds of other hotels at risk?
In the end, the security researcher found five vulnerabilities that he said could compromise the gateway — including guests’ information. One screenshot he shared with TechCrunch showed the administration interface of one hotel’s vulnerable gateway revealing the guest’s name, room number and email address.
Mohsin reported the newly discovered cache of flaws to Airangel, but months passed and the U.K.-based networking gear maker still has not fixed the bugs. A representative told Mohsin that the company hasn’t sold the device since 2018 and was no longer supported.
But Mohsin said the device is still widely used by hotels, malls and convention centers around the world. Internet scans show more than 600 gateways are accessible from the internet alone, though the true number of vulnerable devices is likely to be higher. Most of the affected hotels are in the U.K., Germany, Russia and across the Middle East, he said.
“Given the level of access that this chain of vulnerabilities offers to attackers, there is seemingly no limit to what they could do,” Mohsin told TechCrunch.
Mohsin presented his findings at the @Hack conference in Saudi Arabia last month. Airangel did not respond to a request for comment.