Perimeter

3/27/2015
04:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Hotel Router Vulnerability A Reminder Of Untrusted WiFi Risks

A flaw in a popular router product may have exposed millions of hotel guests, researchers from Cylance say.

News this week that guests at hotels around the world were exposed to malicious attacks from a gaping vulnerability in a popular network routing product is a reminder of the inherent risks business travelers face in connecting to the Internet from unfamiliar Wi-Fi access points.

Security researchers at the Sophisticated Penetration Exploitation and Research team at Cylance discovered a critical—and now patched—vulnerability in InnGate routers from ANTlabs, a Singapore-based company that supplies network equipment to hotels around the world.  InnGate routers are installed in hotels, convention centers, and in numerous places that offer public Wi-Fi access.

Cylance described the vulnerability it discovered as an authentication flaw that basically gave attackers full read and write access to the file system on certain models of the InnGate router. The access would have permitted attackers to take complete remote control of the device and use it to intercept or modify traffic flowing through the router.

Attackers would also have been able to use the flaw to gain access to devices on the affected hotel’s WiFi network and plant malware or steal data from them. In some cases, the InnGate device was even integrated to the hotel’s core property management system, putting critical guess booking, point-of-sale and customer data at risk of compromise.

Cylance researchers uncovered vulnerable routers at 277 hotels, convention centers, and data centers in 29 countries. In its alert, the company warned that millions of customers could potentially be exposed to malicious attacks from using vulnerable routers at locations that installed them. ANTlabs issued a patch for the flaw Thursday and said it was working with affected customers to ensure the patch was applied.

This is the second time in recent months that security researchers have warned of hotel WiFi networks being a potential vector of attack for cyber criminals. Last November, Kaspersky Labs sounded the alarm on DarkHotel, an advanced persistent threat campaign involving a group of cybercriminals that has been stealing data from high-value hotel guests by breaking into their systems via the WiFi system.

Like DarkHotel, the InnGate vulnerability would have also allowed attackers to target specific guests but with far less effort, Cylance said.

Incidents like this highlight the risks that business travelers face when they take the security of hotel WiFi networks and other public access points for granted, says Justin Clarke, a security researcher at Cylance. They underscore the fact that the devices, which people rely on to connect to the Internet, are not often vetted for security and therefore cannot be fully trusted, Clarke said. “It’s a reminder to continue thinking about what devices out there may not have been analyzed fully from a security standpoint,” and take the appropriate precautions.

For business travelers, and others, that means taking common sense precautions, like always using a VPN when accessing the corporate network, ensuring that malware protections are updated, and avoiding tasks that can wait till a trusted access point is available, he said.

Vulnerabilities like the one uncovered by Cylance also serve up some important lessons in configuring routers securely. Embedded web servers are often the source of many flaws, so it is a mistake to allow remote router management over the Internet, said Craig Young, security researcher at Tripwire.

Administrators that need remote access to a router’s web interface should instead consider configuring network address translation rules to allow external SSH or VPN access, Young said in an emailed statement responding to the Cylance disclosure.

Allowing default passwords and default IP ranges to remain on a router also make it easier to attack and so too does failing to log out after configuring the router, he said. Some attacks will only work when the victim’s browser is authenticated to the router or when the attacker knows the password,” he said.

The router vulnerability that Cylance discovered shows why people should be careful about using any available Internet connection, said Brad Cyprus, chief of security and compliance at Netsurion.

By emulating a legitimate Wi-Fi access portal, an attacker can effectively place himself between a user and the Internet, he said. “This means that everything you do while connected will be visible to the data thief, including any login information you use to access your bank or office, your credit cards entered in any website, or the contents of your e-mail.”

One way for a business traveler to avoid such issues is to use their smartphone as a tethered Internet device, Cyprus said. “Since you can set up this connection to use the cellular network and not the hotel Wi-Fi, your data is never available to the hacker who is staying at the hotel looking for victims.” 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
otalliance
50%
50%
otalliance,
User Rank: Strategist
3/30/2015 | 4:08:04 PM
Re: Personal Hotspot
Speaks to the importance of HSTS / HTTPS or AOSSL  https://otalliance.org/AOSSL
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
3/30/2015 | 12:36:03 PM
Personal Hotspot
Considering most hotel Wifi speeds are abysmal anyway, what about personal mobile hotspots from a security perspective? Granted your speeds would be less than the typcial wifi but as stated before hotel wifi is not typical especially due to its over-utilization with mobile devices.

There are providers that offer unlimited data and if you are going to be a frequent traveler concerned about security than it might be beneficial to go down this route. Thoughts?
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.