Hotel check-in kiosks expose guest data and room keys

A software vulnerability in Ariane Systems’ kiosk platform allows attackers to access hotel guests’ personal data through check-in terminals equipped with the software.

Via a kiosk mode bypass flaw (CVE-2024-37364CVSS 3.0 score 6.8), malicious actors could access locally stored reservations and invoices as well as personally identifiable information (PII), according to Martin Schobert, a security researcher at Pentagrid, who discovered the vulnerability in March.

Vulnerable terminals running Ariane Allegro Scenario Player could also potentially be used to create room keys for other hotel rooms, as the ability to use RFID transponders as key cards is also installed on check-in terminals , did he declare. warned in a blog post this week.

The impact could be far-reaching: on its website, Ariane describes itself as “the world’s leading provider of automatic check-in and check-out solutions for the hotel industry, with more than 3,000 installations.”

How the Ariane Hotel check-in exploit works

The software allows guests to check in and reserve rooms at the hotel. Hotel guests can use it to search for existing reservations by entering their last name or a reservation number.

However, if a single quote is entered when searching for a name, the application crashes.

“By touching the terminal screen again, the Windows operating system will ask the user whether Windows should wait longer or stop the task,” Schobert wrote.

Exit also ends the software’s kiosk mode, giving the user access to the system’s Windows desktop, with code execution capability – and to the data stored there and the network.

“With the ability to inject and execute program code, it seems possible to create room keys for other rooms because the functionality of providing RFID transponders is implemented in the terminal,” he said. for follow-up.

He noted that an attacker needs physical access to a recording terminal to carry out an attack and that, depending on the threat actor’s preparation, this requires some time at the terminal. This means that incidents can be avoided with proper physical monitoring.

John Bambenek, president of Bambenek Consulting, recommends that these kiosks always be located in highly visible areas with virus monitoring, and says that access to everything except the touch screen should be inaccessible to the public.

“These devices probably cannot be completely isolated from the main hotel network, because part of the goal is to hand over keys and manage room management“, he notes. “However, devices should be limited to sending only, requiring machines and ports with everything else filtered.”

Multiple hotel risks, access to rooms

John Gallagher, vice president of Viakoo Labs at Viakoo, says providing unauthorized access to data contained in a hotel check-in terminal creates multiple risks.

“This includes knowing the details of a person’s stay, whether a room is occupied or not, potential lateral movement to systems on the same networkand data capture applications placed on the kiosk,” he explains.

He adds that if access to the kiosk can also provide access to the wider hotel network, this would provide the attacker with much more data.

“The situation that would concern me the most would be if I could see someone using the self-check-in kiosk, then track them in their use, crash the Ariane app, access the last guest’s check-in information, print a new RFID card and then gain access to that person’s room,” Gallagher says.

Update kiosk software, limit access

Ariane told Pentagrid that the vulnerability had been fixed in a new version of Allegro Scenario Player and that the terminal Schobert examined was a “legacy system.”

However, according to the researcher, the manufacturer did not disclose the exact version in which the problem was fixed.

According to Schobert, the system he investigated was an Ariane Duo 6000 series terminal. But Adam Neel, senior threat detection engineer at Critical Start, says hotel operators need to ensure that all terminals have recording are running the latest version of Ariane Allegro Scenario Player to fully address the software flaw.

At the same time, Neel notes that in general, organizations need to ensure that all Internet of Things (IoT) devices are equipped with the latest security updates – an area often overlooked by IT teams.

Beyond regular patches, “implementing network isolation in place endpoints on a separate VLAN or network segment critical systems is also crucial,” he adds. “And finally, having an incident response plan is essential to quickly remediate any security breaches.”