Slashdot Mirror

← Back to Stories (view on slashdot.org)

Big Vulnerability In Hotel Wi-Fi Router Puts Guests At Risk

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes Guests at hundreds of hotels around the world are susceptible to serious hacks because of routers that many hotel chains depend on for their Wi-Fi networks. Researchers have discovered a vulnerability in the systems, which would allow an attacker to distribute malware to guests, monitor and record data sent over the network, and even possibly gain access to the hotel's reservation and keycard systems. The vulnerability, which was discovered by Justin W. Clarke of the security firm Cylance, gives attackers read-write access to the root file system of the ANTlabs devices. The discovery of the vulnerable systems was particularly interesting to them in light of an active hotel hacking campaign uncovered last year by researchers at Kaspersky Lab. In that campaign, which Kaspersky dubbed DarkHotel.

40 comments

  1. Incomplete sentence by JamesA · · Score: 0

    An anonymous reader writes incomplete sentences.

    1. Re:Incomplete sentence by wonkey_monkey · · Score: 1

      In that campaign, which Kaspersky dubbed DarkHotel.

      I think Slashdot is trying to woo the beat poetry crowd.

      --
      systemd is Roko's Basilisk.
  2. Cookie authenticated or open WiFi is insecure? by jafiwam · · Score: 3, Insightful

    Isn't it sort of obvious that hotel networks are a free-for-all security wise?

    Use a VPN and SSL.

    1. Re:Cookie authenticated or open WiFi is insecure? by Anonymous Coward · · Score: 0

      Isn't it sort of obvious that unencrypted connections over the internet are a free-for-(smart people or big organizations) security wise?

    2. Re:Cookie authenticated or open WiFi is insecure? by Anonymous Coward · · Score: 1

      Isn't it sort of obvious that unencrypted connections over the internet are a free-for-(smart people or big organizations) security wise?

      That's why I always use https://slashdot.org

    3. Re:Cookie authenticated or open WiFi is insecure? by CaptSisko · · Score: 5, Interesting

      An encrypted VPN might not help you in this case. Most hotel WiFi setups require you to go through a landing page first (captive portal), before internet access is released. This would still expose you to the same vulnerabilities.

      --
      -- Linux: Stays crunchy even in milk! --
    4. Re:Cookie authenticated or open WiFi is insecure? by Shoten · · Score: 5, Informative

      Isn't it sort of obvious that hotel networks are a free-for-all security wise?

      Use a VPN and SSL.

      RTFA; that won't help.

      The problem is that before you can connect out to use your VPN, you first have to get provisioned by the hotel's wifi. This involves at a minimum checking a box that says "I won't try to hack or do bad things," along with either authorizing a charge, giving the webpage your hotel frequent traveler info/name and room number, or authorizing a charge for the Internet access. Those pages are what put you at risk; the attacker hacks the router that serves up the page, adds a nice little bit of extra code to serve up malware (that he also uploads to the router itself, so no need for outside Internet to get it), and boom...everyone with a vulnerable system that connects in that hotel gets pwned.

      And that's beyond the risk of the machine serving as a jump-point for deeper penetration into the hotel itself. How is your using a VPN going to protect the hotel's keycard system from being hacked? Or protect your private information that resides in the reservation system?

      --

      For your security, this post has been encrypted with ROT-13, twice.
    5. Re:Cookie authenticated or open WiFi is insecure? by parkinglot777 · · Score: 2

      Isn't it sort of obvious that hotel networks are a free-for-all security wise?

      Of course, it is obvious. If we ponder a little bit further, we would know that the main purpose of hotel is for temporarly stay, not Internet services. So can't expect the latter service quality to be secured. ;)

    6. Re:Cookie authenticated or open WiFi is insecure? by itzly · · Score: 1

      everyone with a vulnerable system that connects in that hotel gets pwned.

      Everyone with a vulnerable system gets pwned anyway.

    7. Re:Cookie authenticated or open WiFi is insecure? by drinkypoo · · Score: 1

      What you use is noscript, and then you allow only the scripts necessary to get the portal working, and you don't run any flash or java from the portal, etc etc. And you keep your browser updated. It's not rocket surgery. It's not foolproof, but it's best to act as little like a fool as possible.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    8. Re:Cookie authenticated or open WiFi is insecure? by Anonymous Coward · · Score: 0

      Why, are the slashdot servers run out of a hotel?

    9. Re:Cookie authenticated or open WiFi is insecure? by Anonymous Coward · · Score: 0

      Why, are the slashdot servers run out of a hotel?

      Because Dice!

  3. Tom Bodette will leave the wifi on for you by rmdingler · · Score: 2

    I just assume that, with free wifi, I'm getting precisely what I'm paying for.

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

    1. Re:Tom Bodette will leave the wifi on for you by Errol+backfiring · · Score: 3, Insightful

      I think you do pay for the wifi. In hotels, it is usually not "free wifi" but "wifi included in the package". If you only visit the hotel without renting a room it may still be open, but it is meant for the paying guests.

      --
      Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
    2. Re:Tom Bodette will leave the wifi on for you by Anonymous Coward · · Score: 0

      If you're not paying for something and still receiving it, it's free.

  4. And? by ledow · · Score: 5, Interesting

    Hotel wireless is already a risk anyway.

    Let's assume the wireless is open. Then anyone and everyone in an adjoining room can sniff everything you do over it anyway.

    Let's assume that you are given the key to join the network. Anyone else who has the same key - same thing. AP isolation doesn't save you against someone recording your traffic and having access to the key used to encrypt it.

    Wireless is UNTRUSTED. Even wired is UNTRUSTED. You do not know who's pushing that Facebook DNS entry to you, nor that the Facebook TLS is properly signed if you can't rely on the DNS entry.

    When you're not using your own networks, use a VPN. That way you don't even have to care if someone bothered to put even WEP on the connection - the VPN gives you the security for your data. However, be sure that if you're doing this, you have a firewall (you are STUPID if you don't) as anything else can send you traffic in these instances too, no encryption, WEP, WPA, WPA2, it doesn't matter.

    Every time someone says "join my wireless", replace it mentally with "just plug this cable that connects to all my local machines and also every guest that's ever had the same offer, into your laptop".

    Firewall it. VPN it. Then you don't even need to care that it's an open network. And, shockingly, the same config will work with cabled networks.

    And if it doesn't work? You don't want to use that connection. Any hotel that breaks your VPN is one that's almost certainly providing some poor replacement for it.

    1. Re:And? by tiberus · · Score: 1

      I've used a range of options over the years depending on circumstances from VPN, to my access point hardwired to their network to MiFi. While it's likely all/most readers here can do those things and more, that's not the point.

      The point is most of the general public doesn't understand. Yes we can, and prolly do laugh and snicker at the luddites, unwashed and ignorant. In truth what hurts them, hurts us. Calling them "stupid" doesn't help, most of them are ignorant not stupid anyway. Is it really that unreasonable to expect that a hotel that provides a service that we are in fact paying for, does so with due dillegence?

    2. Re:And? by Anonymous Coward · · Score: 0

      I usually know when I have used the real facebook. Only there my butt is really hurting, as the website has fucked me into the ass again.

    3. Re:And? by BitZtream · · Score: 2

      nor that the Facebook TLS is properly signed if you can't rely on the DNS entry.

      TLS doesn't depend on DNS working properly and not being corrupted. Its job, is in fact, to alert you of the fact that things like DNS corruption are taking place, or that someone is intercepting your traffic.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
    4. Re: And? by Anonymous Coward · · Score: 0

      Someone didn't read the article. VPN and firewalls will not protect you from a local attack via the wifi sign-in page hosted on a compromised router.

    5. Re:And? by vjoel · · Score: 1

      laugh and snicker at the luddites

      The Luddites will be just fine in these hotels of which you speak, readng their paperback novels and engaging in other analog activities.

      --
      What part of `yes no` don't you understand?
    6. Re:And? by Nkwe · · Score: 1

      Wireless is UNTRUSTED. Even wired is UNTRUSTED.

      The Internet is untrusted. Period.

      Even an intranet should generally be untrusted. Every machine needs to be responsible for defending itself; no machine should assume that other things on the network are good actors.

    7. Re: And? by Anonymous Coward · · Score: 1

      Reading paperback novels is a digital activity. Have you tried holding one open without using your fingers?

  5. I just skip the "free" wifi by sjbe · · Score: 2

    There is a reason why I generally use LTE through my phone instead of "free" wifi when traveling. Not only is the LTE usually faster and less geographically constrained, but I don't have nearly as many security or connectivity problems 99% of the time. I've been behind the scenes at some restaurants and hotels and the "security" setup pretty much convinced me that free wifi is generally not worth the risk if you have a viable alternative. I assure you that many hotels and probably most restaurants do not have a crack IT staff maintaining their system. It's about as basic and insecure as you can possibly imagine. I've even had to point out to a franchised restaurant that they had the free wifi on the same subnet as their internal computers with zero protection of any kind.

    1. Re:I just skip the "free" wifi by Jason+Levine · · Score: 1

      And Marriot wanted the ability to block you from using your mobile hotspot, forcing you on the hotel's wireless network for "security reasons." Thankfully, they withdrew the request when it became apparent that a) it wouldn't be granted and b) there was a ton of bad PR being generated by this move. Still, this insecure hotel wi-fi story makes that request even more laughable.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    2. Re:I just skip the "free" wifi by Anonymous Coward · · Score: 0

      So, connect phone to laptop via Bluetooth or USB instead of WiFi. Marriot just wanted to mess with WiFi, not jam cell phone connections.

  6. Infosec Marketing by Anonymous Coward · · Score: 0

    Must every bug and vulnerability get a marketing campaign???

  7. More reasons to worry by hcs_$reboot · · Score: 1

    How many smaller hotels, shop and other wifi APs bothered to change the default admin password? A lot did not. So, you may need a user password initially (as a customer), but then the setup page is usually at http://router/ where the router model and version are commonly displayed. A quick search on the Internet and you may try the default root/admin password which is quite likely to work. Then you may inject your own DNS servers, and voilà.
    Not mentioning how you can also (even more) easily impersonate any of the no-password SSID that people know well (the phone/mac/pc will choose the highest Db one when both are available), and again redefine some DNS entries, add some filtering etc...
    So this hotels security hole is maybe important - but the whole wifi/routers security concept is pretty much flawed in the first place (due to people negligence and incompetence, to routers manufacturers who want to provide an "easy setup" router, to other many entities keen on providing a free wifi access with no security at all etc...).

    --
    Slashdot, fix the reply notifications... You won't get away with it...
    1. Re:More reasons to worry by Anonymous Coward · · Score: 0

      some use the ISP ones that have preset ones on the label random.

  8. Public WiFi == Hostile Network by Anonymous Coward · · Score: 1

    All hotel networks should be treated as hostile, they typically have no meaningful security.

    I routinely sniff hotel networks. After checkin I fire up Driftnet to see what others are up to. I'm really surprised at the LACK of porn. Nearly none in most cases.

    1. Re:Public WiFi == Hostile Network by ColdWetDog · · Score: 1

      Sniff porn?

      Who knew?

      --
      Faster! Faster! Faster would be better!
    2. Re:Public WiFi == Hostile Network by Anonymous Coward · · Score: 0

      . After checkin I fire up Driftnet to see what others are up to. I'm really surprised at the LACK of porn. Nearly none in most cases.

      They are too busy making their own.

  9. Lawfull intercept backdoor? by DougPaulson · · Score: 1

    I wonder is this part of the lawful intercept they mention in the manual? I mean what are the odds of accidentally leaving unauthorized rsync active in the device. Who did ANTlabs get to do the work?

    Lawfull Intercept
    - Monitoring of Networks
    - Comply with legistative requirements
    - Local storage of logs

    "Gaining access to a guest room through a compromised key lock system wouldn’t just be of interest to thieves. One of the most famous cases involving the subversion of a hotel’s electronic key system .. It’s not known exactly how the attackers compromised that key system.

    Again, the locks were compromised by plugging an Arduino microcontroller into the DC socket on the lock. The lock then disgorged the 32 bit passcode to the device - in the clear - no encryption. A curious design decision on behalf of the locks manufacturers to say the least.

  10. You have got to be shitting me? by DougPaulson · · Score: 1

    @sjbe: "There is a reason why I generally use LTE . I don't have nearly as many security or connectivity problems 99% of the time."

    You have got to be shitting me? Folks, you would think the designers of these 'secure' base stations would have wondered how to protect against cell site spoofing. Besides which, it is currently illegal in the EU to sell mobile phones that cannot be intercepted regardless of the level of 'security'

    'Stingrays Go Mainstream: 2014 in Review'

  11. Looking for the least worst solution by sjbe · · Score: 1

    You have got to be shitting me?

    Not in the slightest. I've seen the hardware and setup for a few hotels and and a lot of restaurants with my own eyes. While I'm sure there are plenty of security issues with LTE, I know for a fact that plenty of public free wifi is about as clean as a $2 hooker.

    Folks, you would think the designers of these 'secure' base stations would have wondered how to protect against cell site spoofing.

    Please point me to a single instance of non-governmental cell site spoofing outside of black-hat hacking conferences. This simply is not a significant problem. Highly insecure wifi is a significant problem. Extremely slow and annoying public wifi is a significant problem. Anything that can be intercepted via LTE can be (more easily) intercepted via public free wifi. There is no truly secure solution but I'll take my chances with LTE over dubious hotel wifi any day of the week. It's kind of a least worst option.

    1. Re: Looking for the least worst solution by Anonymous Coward · · Score: 0

      So your saying you would rather have the government hack you then say black hats hacking you. Wow you are blind.

  12. Last time on vacation by Bryan+Bytehead · · Score: 1

    I used the hotel internet just long enough to get on (using the browser to type in the magic word for full access), then RDPing into my home system (and then dealing with somebody who has their own computer, but was still using my home computer), to get what I needed accomplished. Get home, and find out that searches were now hijacked. A scan fixed the problem, but my home system wasn't infested, not that RDP is an attack vector that I'm aware of, and since the only pages I loaded were the hotels, it doesn't even take a WiFi exploit to get malware when the ad system obviously can do a drive by.

    --
    Bryan
    1. Re:Last time on vacation by jep77 · · Score: 1

      not that RDP is an attack vector that I'm aware of

      Google RDP MitM to learn about it.

    2. Re:Last time on vacation by Bryan+Bytehead · · Score: 1

      Interesting. But I know the IP address that I was using, so a MITM attack wasn't really something I was worried about, it was more of an attack from my own machine that I was thinking. Unless somebody really had it out for me and was spoofing my home IP address as well. Of which, one use every few years, that doesn't sound like an attack vector that would be given that much rope just to wait to see if I was RDPing in. I'm much more inclined that to think that it was the ad network.

      --
      Bryan