Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

3/27/2015
04:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Hotel Router Vulnerability A Reminder Of Untrusted WiFi Risks

A flaw in a popular router product may have exposed millions of hotel guests, researchers from Cylance say.

News this week that guests at hotels around the world were exposed to malicious attacks from a gaping vulnerability in a popular network routing product is a reminder of the inherent risks business travelers face in connecting to the Internet from unfamiliar Wi-Fi access points.

Security researchers at the Sophisticated Penetration Exploitation and Research team at Cylance discovered a critical—and now patched—vulnerability in InnGate routers from ANTlabs, a Singapore-based company that supplies network equipment to hotels around the world.  InnGate routers are installed in hotels, convention centers, and in numerous places that offer public Wi-Fi access.

Cylance described the vulnerability it discovered as an authentication flaw that basically gave attackers full read and write access to the file system on certain models of the InnGate router. The access would have permitted attackers to take complete remote control of the device and use it to intercept or modify traffic flowing through the router.

Attackers would also have been able to use the flaw to gain access to devices on the affected hotel’s WiFi network and plant malware or steal data from them. In some cases, the InnGate device was even integrated to the hotel’s core property management system, putting critical guess booking, point-of-sale and customer data at risk of compromise.

Cylance researchers uncovered vulnerable routers at 277 hotels, convention centers, and data centers in 29 countries. In its alert, the company warned that millions of customers could potentially be exposed to malicious attacks from using vulnerable routers at locations that installed them. ANTlabs issued a patch for the flaw Thursday and said it was working with affected customers to ensure the patch was applied.

This is the second time in recent months that security researchers have warned of hotel WiFi networks being a potential vector of attack for cyber criminals. Last November, Kaspersky Labs sounded the alarm on DarkHotel, an advanced persistent threat campaign involving a group of cybercriminals that has been stealing data from high-value hotel guests by breaking into their systems via the WiFi system.

Like DarkHotel, the InnGate vulnerability would have also allowed attackers to target specific guests but with far less effort, Cylance said.

Incidents like this highlight the risks that business travelers face when they take the security of hotel WiFi networks and other public access points for granted, says Justin Clarke, a security researcher at Cylance. They underscore the fact that the devices, which people rely on to connect to the Internet, are not often vetted for security and therefore cannot be fully trusted, Clarke said. “It’s a reminder to continue thinking about what devices out there may not have been analyzed fully from a security standpoint,” and take the appropriate precautions.

For business travelers, and others, that means taking common sense precautions, like always using a VPN when accessing the corporate network, ensuring that malware protections are updated, and avoiding tasks that can wait till a trusted access point is available, he said.

Vulnerabilities like the one uncovered by Cylance also serve up some important lessons in configuring routers securely. Embedded web servers are often the source of many flaws, so it is a mistake to allow remote router management over the Internet, said Craig Young, security researcher at Tripwire.

Administrators that need remote access to a router’s web interface should instead consider configuring network address translation rules to allow external SSH or VPN access, Young said in an emailed statement responding to the Cylance disclosure.

Allowing default passwords and default IP ranges to remain on a router also make it easier to attack and so too does failing to log out after configuring the router, he said. Some attacks will only work when the victim’s browser is authenticated to the router or when the attacker knows the password,” he said.

The router vulnerability that Cylance discovered shows why people should be careful about using any available Internet connection, said Brad Cyprus, chief of security and compliance at Netsurion.

By emulating a legitimate Wi-Fi access portal, an attacker can effectively place himself between a user and the Internet, he said. “This means that everything you do while connected will be visible to the data thief, including any login information you use to access your bank or office, your credit cards entered in any website, or the contents of your e-mail.”

One way for a business traveler to avoid such issues is to use their smartphone as a tethered Internet device, Cyprus said. “Since you can set up this connection to use the cellular network and not the hotel Wi-Fi, your data is never available to the hacker who is staying at the hotel looking for victims.” 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
otalliance
50%
50%
otalliance,
User Rank: Strategist
3/30/2015 | 4:08:04 PM
Re: Personal Hotspot
Speaks to the importance of HSTS / HTTPS or AOSSL  https://otalliance.org/AOSSL
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
3/30/2015 | 12:36:03 PM
Personal Hotspot
Considering most hotel Wifi speeds are abysmal anyway, what about personal mobile hotspots from a security perspective? Granted your speeds would be less than the typcial wifi but as stated before hotel wifi is not typical especially due to its over-utilization with mobile devices.

There are providers that offer unlimited data and if you are going to be a frequent traveler concerned about security than it might be beneficial to go down this route. Thoughts?
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.