Hotel check-in terminal bug spews out access codes for guest rooms

A self-service check-in terminal used in a German Ibis budget hotel was found leaking hotel room keycodes, and the researcher behind the discovery claims the issue could potentially affect hotels around Europe.
德国宜必思经济型酒店使用的自助入住终端被发现泄露了酒店房间的钥匙密码,这一发现背后的研究人员声称这个问题可能会影响欧洲各地的酒店。

The terminal’s security flaw could be abused by anyone, requiring no technical knowledge or specialized tooling. Realistically, an attacker could aggregate an array of room keycodes in just a few minutes – as long as it would take a regular customer to use the same machine to check in to their room.
终端的安全漏洞可以被任何人滥用,不需要技术知识或专门的工具。实际上,攻击者可以在短短几分钟内聚合一系列房间钥匙代码——只要普通客户使用同一台机器签到他们的房间即可。

Self-service check-in terminals can be used by hotel guests as an alternative to speaking with front desk staff, who sometimes aren’t available to serve. As well as allowing guests to check into their rooms, these terminals also offer the capability to search for information about existing bookings.
酒店客人可以使用自助入住终端作为与前台工作人员交谈的替代方法,前台工作人员有时无法提供服务。除了允许客人入住他们的房间外,这些终端还提供搜索现有预订信息的功能。

If, for example, a guest forgets their keycode, they can input their booking reference number and the terminal will present details about their booking, including their room code.
例如,如果客人忘记了他们的钥匙密码,他们可以输入他们的预订参考号,终端将显示他们的预订详细信息,包括他们的房间代码。

Martin Schobert at Swiss security firm Pentagrid discovered that an attacker could input a series of six consecutive dashes (——) in place of a booking reference number and the terminal would return an extensive list of room details.
瑞士安全公司Pentagrid的Martin Schobert发现,攻击者可以输入一系列连续六个破折号(——)来代替预订参考号,终端将返回大量房间详细信息列表。

“Any other sequence of dashes is accepted if it is long enough to enable the submit button,” he said. “Therefore, it is assumed that a variable length string is likely not a master code, but a bug or a not deactivated test function.”
“如果破折号足够长以启用提交按钮,则可以接受任何其他破折号序列,”他说。“因此,假设可变长度字符串可能不是主代码,而是错误或未停用的测试函数。

Once the dashes were entered, the booking information displayed the cost of the booking and the valid room entry keycodes, along with the room number. It also included a timestamp, which the researchers assumed to be a check-in date – one that may indicate the length of a guest’s stay.
输入破折号后,预订信息将显示预订费用和有效的房间进入钥匙代码以及房间号。它还包括一个时间戳,研究人员认为这是一个入住日期——一个可能表明客人住宿时间长短的时间戳。

The issue was discovered accidentally while using a terminal in the Hamburg Altona Ibis Budget hotel after Schobert attended a cybersecurity convention in the city. He was able to retrieve the details of 87 bookings; the hotel offers 180 rooms. It’s not clear if the bug was limited to return less than the entire number of bookings, or if only 87 bookings were valid at that time.
该问题是在 Schobert 参加该市网络安全大会后,在使用汉堡阿尔托纳宜必思快捷酒店的终端时意外发现的。他能够检索到 87 个预订的详细信息;酒店提供180间客房。目前尚不清楚该错误是否仅限于返回少于全部预订数量,或者当时是否只有 87 个预订有效。

Even without the exploit using a series of dashes, Schobert said valid booking references could be found on discarded printouts, necessitating greater security controls embedded in the terminals.
Schobert说,即使没有使用一系列破折号的漏洞,也可以在废弃的打印输出上找到有效的预订参考,因此需要在终端中嵌入更大的安全控制。

It isn’t difficult to imagine the potential consequences of this issue falling into the wrong hands. Being able to retrieve keycodes can lead to thefts, of course, and an attacker being able to target rooms by price could lead them to single out the wealthiest guests for potentially the biggest rewards.
不难想象这个问题落入坏人之手的潜在后果。当然,能够检索钥匙密码可能会导致盗窃,而攻击者能够按价格瞄准房间可能会导致他们挑选出最富有的客人,以获得潜在的最大奖励。

Away from just theft, there also exists the potential for abuse by stalkers and other creeps, jeopardizing the personal safety of guests.
除了盗窃之外,还存在跟踪者和其他小偷虐待的可能性,危及客人的人身安全。

It can all be carried out within seconds too, we’re told, and any attacker could do this without arousing suspicion from onlookers since it seems like normal user activity. Schobert published a video showing it happening in real time, to show how simple exploiting the bug was.
我们被告知,这一切都可以在几秒钟内完成,任何攻击者都可以在不引起旁观者怀疑的情况下做到这一点,因为这似乎是正常的用户活动。Schobert 发布了一段视频,展示了它实时发生的情况,以展示利用该漏洞是多么简单。

While Schobert said he doesn’t know for sure if it could be replicated at other sites, he said other hotels around Europe “are likely affected as well.”
虽然Schobert表示,他不确定它是否可以在其他地点复制,但他表示,欧洲各地的其他酒店“也可能受到影响”。

It should be said, however, there’s no evidence to suggest this was actually exploited in the real world.
然而,应该说,没有证据表明这实际上在现实世界中被利用了。

Accor Security, the security arm of Accor, which owns the Ibis Budget chain, tested the issue and was able to reproduce it so developed and deployed a software fix to all affected terminals in under a month.
拥有Ibis Budget连锁店的雅高(Accor)的安全部门雅高安全(Accor Security)测试了该问题,并能够重现该问题,因此在不到一个月的时间内开发并部署了所有受影响终端的软件修复程序。

The issue was first discovered on December 31, 2023, and was fixed on January 26, Pentagrid’s disclosure timeline showed.
Pentagrid 的披露时间表显示,该问题于 2023 年 12 月 31 日首次被发现,并于 1 月 26 日得到解决。

Accor was approached by El Reg for additional comment but it didn’t immediately respond.
El Reg 联系了雅高以寻求更多评论,但没有立即回应。

Hotel hell Hotel hell(地狱酒店)

It hasn’t been a great few weeks for hotel security. Two weeks ago we took a look at the vulnerabilities, together dubbed by researchers as “Unsaflok,” that saw around 3 million hotel doors vulnerable to unauthorized accesses.
对于酒店保安来说,这几周并不好。两周前,我们研究了这些漏洞,研究人员将其称为“Unsaflok”,大约有300万扇酒店门容易受到未经授权的访问。

Saflok MT and Saflok RT Plus are the two most commonly deployed models of keycard lock affected by the vulnerabilities, made by Swiss firm dormakaba.
Saflok MT 和 Saflok RT Plus 是受漏洞影响的两种最常部署的钥匙卡锁型号,由瑞士公司 dormakaba 制造。

Unlike the issues at Accor, these were trickier to exploit, but also not outside the realms of possibility. An attacker would need a valid or expired hotel keycard, and two blank ones that can be purchased online – one to reset the lock data and another to open it.
与雅高的问题不同,这些问题更难利用,但也不超出可能性的范围。攻击者需要一张有效或过期的酒店钥匙卡,以及两张可以在线购买的空白钥匙卡——一张用于重置锁数据,另一张用于打开它。

It could all be achieved using legal, freely available kit such as a Flipper Zero or an NFC-capable Android phone.
这一切都可以使用合法的、免费提供的套件来实现,例如 Flipper Zero 或支持 NFC 的 Android 手机。

As of two weeks ago, a fix was developed but it is taking a while to deploy worldwide – only 36 percent of locks were fixed at the time of writing.
截至两周前,已经开发出一个修复程序,但在全球范围内部署需要一段时间——在撰写本文时,只有 36% 的锁被修复。

We also reported earlier this week that Omni Hotels was experiencing some pretty major IT issues, which initially downed systems responsible for bookings, payments, and door locks, but is now again accepting reservations.
本周早些时候,我们还报道了 Omni Hotels 遇到了一些非常重大的 IT 问题,这些问题最初导致负责预订、付款和门锁的系统瘫痪,但现在再次接受预订。

As of Wednesday, the company’s phone lines were also down, reading a pre-recorded message referring to technical difficulties. At least the bars were still open across its sites, even if there was no Wi-Fi. ®
截至周三,该公司的电话线也中断了,阅读了一条预先录制的消息,其中提到了技术困难。至少酒吧仍然开放,即使没有Wi-Fi。

原文始发于Connor Jones:Hotel check-in terminal bug spews out access codes for guest rooms

版权声明:admin 发表于 2024年4月7日 下午9:05。
转载请注明:Hotel check-in terminal bug spews out access codes for guest rooms | CTF导航

相关文章