News this week that guests at hotels around the world were exposed to malicious attacks from a gaping vulnerability in a popular network routing product is a reminder of the inherent risks business travelers face in connecting to the Internet from unfamiliar Wi-Fi access points.
Security researchers at the Sophisticated Penetration Exploitation and Research team at Cylance discovered a critical—and now patched—vulnerability in InnGate routers from ANTlabs, a Singapore-based company that supplies network equipment to hotels around the world. InnGate routers are installed in hotels, convention centers, and in numerous places that offer public Wi-Fi access.
Cylance described the vulnerability it discovered as an authentication flaw that basically gave attackers full read and write access to the file system on certain models of the InnGate router. The access would have permitted attackers to take complete remote control of the device and use it to intercept or modify traffic flowing through the router.
Attackers would also have been able to use the flaw to gain access to devices on the affected hotel’s WiFi network and plant malware or steal data from them. In some cases, the InnGate device was even integrated to the hotel’s core property management system, putting critical guess booking, point-of-sale and customer data at risk of compromise.
Cylance researchers uncovered vulnerable routers at 277 hotels, convention centers, and data centers in 29 countries. In its alert, the company warned that millions of customers could potentially be exposed to malicious attacks from using vulnerable routers at locations that installed them. ANTlabs issued a patch for the flaw Thursday and said it was working with affected customers to ensure the patch was applied.
This is the second time in recent months that security researchers have warned of hotel WiFi networks being a potential vector of attack for cyber criminals. Last November, Kaspersky Labs sounded the alarm on DarkHotel, an advanced persistent threat campaign involving a group of cybercriminals that has been stealing data from high-value hotel guests by breaking into their systems via the WiFi system.
Like DarkHotel, the InnGate vulnerability would have also allowed attackers to target specific guests but with far less effort, Cylance said.
Incidents like this highlight the risks that business travelers face when they take the security of hotel WiFi networks and other public access points for granted, says Justin Clarke, a security researcher at Cylance. They underscore the fact that the devices, which people rely on to connect to the Internet, are not often vetted for security and therefore cannot be fully trusted, Clarke said. “It’s a reminder to continue thinking about what devices out there may not have been analyzed fully from a security standpoint,” and take the appropriate precautions.
For business travelers, and others, that means taking common sense precautions, like always using a VPN when accessing the corporate network, ensuring that malware protections are updated, and avoiding tasks that can wait till a trusted access point is available, he said.
Vulnerabilities like the one uncovered by Cylance also serve up some important lessons in configuring routers securely. Embedded web servers are often the source of many flaws, so it is a mistake to allow remote router management over the Internet, said Craig Young, security researcher at Tripwire.
Administrators that need remote access to a router’s web interface should instead consider configuring network address translation rules to allow external SSH or VPN access, Young said in an emailed statement responding to the Cylance disclosure.
Allowing default passwords and default IP ranges to remain on a router also make it easier to attack and so too does failing to log out after configuring the router, he said. Some attacks will only work when the victim’s browser is authenticated to the router or when the attacker knows the password,” he said.
The router vulnerability that Cylance discovered shows why people should be careful about using any available Internet connection, said Brad Cyprus, chief of security and compliance at Netsurion.
By emulating a legitimate Wi-Fi access portal, an attacker can effectively place himself between a user and the Internet, he said. “This means that everything you do while connected will be visible to the data thief, including any login information you use to access your bank or office, your credit cards entered in any website, or the contents of your e-mail.”
One way for a business traveler to avoid such issues is to use their smartphone as a tethered Internet device, Cyprus said. “Since you can set up this connection to use the cellular network and not the hotel Wi-Fi, your data is never available to the hacker who is staying at the hotel looking for victims.”