Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

3/27/2015
04:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Hotel Router Vulnerability A Reminder Of Untrusted WiFi Risks

A flaw in a popular router product may have exposed millions of hotel guests, researchers from Cylance say.

News this week that guests at hotels around the world were exposed to malicious attacks from a gaping vulnerability in a popular network routing product is a reminder of the inherent risks business travelers face in connecting to the Internet from unfamiliar Wi-Fi access points.

Security researchers at the Sophisticated Penetration Exploitation and Research team at Cylance discovered a critical—and now patched—vulnerability in InnGate routers from ANTlabs, a Singapore-based company that supplies network equipment to hotels around the world.  InnGate routers are installed in hotels, convention centers, and in numerous places that offer public Wi-Fi access.

Cylance described the vulnerability it discovered as an authentication flaw that basically gave attackers full read and write access to the file system on certain models of the InnGate router. The access would have permitted attackers to take complete remote control of the device and use it to intercept or modify traffic flowing through the router.

Attackers would also have been able to use the flaw to gain access to devices on the affected hotel’s WiFi network and plant malware or steal data from them. In some cases, the InnGate device was even integrated to the hotel’s core property management system, putting critical guess booking, point-of-sale and customer data at risk of compromise.

Cylance researchers uncovered vulnerable routers at 277 hotels, convention centers, and data centers in 29 countries. In its alert, the company warned that millions of customers could potentially be exposed to malicious attacks from using vulnerable routers at locations that installed them. ANTlabs issued a patch for the flaw Thursday and said it was working with affected customers to ensure the patch was applied.

This is the second time in recent months that security researchers have warned of hotel WiFi networks being a potential vector of attack for cyber criminals. Last November, Kaspersky Labs sounded the alarm on DarkHotel, an advanced persistent threat campaign involving a group of cybercriminals that has been stealing data from high-value hotel guests by breaking into their systems via the WiFi system.

Like DarkHotel, the InnGate vulnerability would have also allowed attackers to target specific guests but with far less effort, Cylance said.

Incidents like this highlight the risks that business travelers face when they take the security of hotel WiFi networks and other public access points for granted, says Justin Clarke, a security researcher at Cylance. They underscore the fact that the devices, which people rely on to connect to the Internet, are not often vetted for security and therefore cannot be fully trusted, Clarke said. “It’s a reminder to continue thinking about what devices out there may not have been analyzed fully from a security standpoint,” and take the appropriate precautions.

For business travelers, and others, that means taking common sense precautions, like always using a VPN when accessing the corporate network, ensuring that malware protections are updated, and avoiding tasks that can wait till a trusted access point is available, he said.

Vulnerabilities like the one uncovered by Cylance also serve up some important lessons in configuring routers securely. Embedded web servers are often the source of many flaws, so it is a mistake to allow remote router management over the Internet, said Craig Young, security researcher at Tripwire.

Administrators that need remote access to a router’s web interface should instead consider configuring network address translation rules to allow external SSH or VPN access, Young said in an emailed statement responding to the Cylance disclosure.

Allowing default passwords and default IP ranges to remain on a router also make it easier to attack and so too does failing to log out after configuring the router, he said. Some attacks will only work when the victim’s browser is authenticated to the router or when the attacker knows the password,” he said.

The router vulnerability that Cylance discovered shows why people should be careful about using any available Internet connection, said Brad Cyprus, chief of security and compliance at Netsurion.

By emulating a legitimate Wi-Fi access portal, an attacker can effectively place himself between a user and the Internet, he said. “This means that everything you do while connected will be visible to the data thief, including any login information you use to access your bank or office, your credit cards entered in any website, or the contents of your e-mail.”

One way for a business traveler to avoid such issues is to use their smartphone as a tethered Internet device, Cyprus said. “Since you can set up this connection to use the cellular network and not the hotel Wi-Fi, your data is never available to the hacker who is staying at the hotel looking for victims.” 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
otalliance
50%
50%
otalliance,
User Rank: Strategist
3/30/2015 | 4:08:04 PM
Re: Personal Hotspot
Speaks to the importance of HSTS / HTTPS or AOSSL  https://otalliance.org/AOSSL
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
3/30/2015 | 12:36:03 PM
Personal Hotspot
Considering most hotel Wifi speeds are abysmal anyway, what about personal mobile hotspots from a security perspective? Granted your speeds would be less than the typcial wifi but as stated before hotel wifi is not typical especially due to its over-utilization with mobile devices.

There are providers that offer unlimited data and if you are going to be a frequent traveler concerned about security than it might be beneficial to go down this route. Thoughts?
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Could you pass the hash, I really have to use the bathroom!
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9892
PUBLISHED: 2019-05-22
An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result in reading of arbit...
CVE-2019-10066
PUBLISHED: 2019-05-22
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6, Community Edition 6.0.x through 6.0.17, and OTRSAppointmentCalendar 5.0.x through 5.0.12. An attacker who is logged into OTRS as an agent with appropriate permissions may create a carefully crafted calendar appointment i...
CVE-2019-10067
PUBLISHED: 2019-05-22
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaScript in the context...
CVE-2019-6513
PUBLISHED: 2019-05-21
An issue was discovered in WSO2 API Manager 2.6.0. It is possible for a logged-in user to upload, as API documentation, any type of file by changing the extension to an allowed one.
CVE-2019-12270
PUBLISHED: 2019-05-21
OpenText Brava! Enterprise and Brava! Server 7.5 through 16.4 configure excessive permissions by default on Windows. During installation, a displaylistcache file share is created on the Windows server with full read and write permissions for the Everyone group at both the NTFS and Share levels. The ...