It doesn't have a sexy name like HeartBleed, RowHammer, or even POODLE, but security company Cylance announced last week that it had discovered an incredibly serious vulnerability in the ANTLabs InnGate Internet gateway device. If you’re a frequent traveler, as many event professionals are, chances are you’ve been connected to one of these devices. They’re popular with hotels, convention centers, and other places where temporary internet access is offered, chiefly because they offer the ability to tie the billing for that access to a specific room number or account. Some of the other features of the device includes express checkout and viewing of guest folio charges.
The vulnerability, which offers a “complete compromise of the vulnerable system” is apparently trivial to exploit, allowing relatively unsophisticated attackers to gather any and all plain text communication sent through the device, including unencrypted websites (no locky-lock on the web address, no https), and virtually all email sent through email applications such as Outlook. More advanced attackers would have “seemingly no limit to what they could do” including potentially intercepting even HTTPS encrypted web pages (like banks or Gmail), stealing usernames and passwords, adding malware to software downloads, or much, much worse.
Put simply, when we’re connected to a hotel or venue WiFi, literally every bit of information we send and receive is going through their infrastructure. What happens when that infrastructure can be compromised at it’s very basic levels? Anything an attacker wants.
More than just sniffing your Internet
This particular exploit isn’t just limited to hotel guests Internet browsing, however. One of the selling points of the InnGate is that it can connect to a location’s PMS (Property Management System). A PMS can contain a tremendous amount of data including guest bookings and information, on-property sales, sales and marketing information- even HR and payroll, depending on the system. What’s even scarier, is that a PMS can in turn connect to other systems, such as “central reservation systems and revenue or yield management systems, front office, back office, point of sale, door-locking, housekeeping optimization, pay-TV, energy management, payment card authorization and channel management systems.” (Source:Wikipedia) Likewise, according to Cylance, if that PMS controls multiple locations, the attackers “could potentially leverage that access to infect the other branches of an organization.”
Scared the bejeebers out of you? It probably should. This one was pretty bad. Over 270 instances of this particular device were publicly accessible, and exploitable, via the Internet. The hotels and venues involved ran the gamut, and were not restricted to any brand, star rating, or price, and were spread out all over the world. They also ranged from “places we’ve never heard of to places that cost more per night than most apartments cost to rent for a month”, according to Cylance.
One can’t read about this exploit and not think back to a few months ago when Kaspersky revealed that high-end business travelers had been targeted for years by a group that it dubbed DarkHotel. There was plenty of evidence that the group had state-level tools at their disposal, but this new exploit has some wondering if perhaps it’s been much easier to target and attack hotel guests than anyone previously thought.
The good news is that ANTLabs immediately leapt into action as soon as the vulnerability was reported to them, getting a patch ready and releasing it in just over a month. Cylance noted that it’s “not often that vulnerability reporting goes smoothly and ultimately resulted in a timely patch from the vendor.” Cylance is also working to notify the hotels and venues that it identified as being vulnerable.
So what do we do?
I’ve been telling people for some time now that the vast majority of hotel WiFi networks are not secured properly, referring to the fact that the network itself doesn’t have a password. Sadly, I had no idea that this level of attack was even possible. When you can infiltrate a gateway device this deeply, it’s pretty scary. There are a few things we can all do to help make the bad guy’s jobs more difficult, though:
Hotels and Venues:
- Make sure your network devices are checked regularly to see if there are any updates available, and if you use ANTLabs InnGates, FOR THE LOVE OF GOD GO MAKE SURE THEY GET UPDATED RIGHT FLIPPING NOW.
- Secure your WiFi routers with a password. Yes it wouldn’t have helped in this case, but that doesn’t mean you shouldn’t do it. And you should.
- Of course, you could also make WiFI free, in which case a lot of this integration with PMSs would no longer be necessary, and things would be, more or less, just as secure as our personal and business WiFi routers. Or at least less of a target. Just sayin'.
- Don’t do anything on public/hotel/venue WiFi that you wouldn’t want the ENTIRE WORLD to know. While HTTPS connections to banks, Gmail, and other encrypted sites should be safe, this exploit shows that might not necessarily be the case. While we all have to use these networks from time to time, try to restrict your traffic to as few sites as possible, and to avoid anything relating to financial data, company secrets, or other, er… sites… that you might not… er… want folks to find out you visit.
- If at all possible, when on these networks, use a VPN. A VPN is a Virtual Private Network, and it acts like a secure, encrypted tunnel for your Internet access. The reason this type of vulnerability works is because it’s intercepting your traffic right there in the hotel as you surf around the net. With a VPN, your data goes through the encrypted data tunnel to your office, or other location, before it goes out onto the Internet- so all the venue WiFi sees is noise.
Stay safe out there people…
Cylance - http://blog.cylance.com/spear-team-cve-2015-0932
DarkHotel - http://www.wired.com/2014/11/darkhotel-malware/
WikiPedia PMS - http://en.wikipedia.org/wiki/Property_management_system
ANTLabs InnGate - http://www.antlabs.com/index.php?option=com_content&view=article&id=69&Itemid=88
ANTLabs InnGate Patch - http://www.antlabs.com/index.php?option=com_content&view=article&id=195:rsync-remote-file-system-access-vulnerability-cve-2015-0932&catid=54:advisories&Itemid=133
Special thanks to Steve Gibson for reporting on this on his Security Now netcast: