That is the takeaway of the recent disclosure by security firm Cylance that it had found a devastating vulnerability in an Internet router that it said is in use at eight of the world’s top ten hotel chains. Not only can the router be hijacked to cough up a user’s details - your details - in some cases, said Cylance, the router is directly interfaced with the hotel’s so-called Property Management system (PMS) which tracks everything from billing to room keys and in-room temperature. In a worse case scenario, a hacker could seize control of the vulnerable router, hop into the PMS, copy all available credit cards and their owner’s details, and perhaps for mirth change the locks on a few doors - rendering the plastic keycards useless - and dialing the temperature up to 105 degrees in victim rooms.
Cylance declined to name names of hotels, but it said it found 277 of the vulnerable routers, mainly in the U.S., mainly at hotels and convention centers. The company that made the router - ANTLabs in Singapore - issued a patch a few days ago, said Cylance. But Cylance researcher Justin Clarke told Mainstreet that “it is up to the end user to apply the patch.”
“The hotels have been notified, but they aren’t going to do anything," said Charles Tendell, CEO of Azorian Cyber Security. "They will tell their vendors.” He elaborated that most hotels do not have an in-house cyber expert qualified to apply a critical patch. So they will defer to vendors who will get around to it when they get around to it.
Meanwhile, said Clarke, guests who use these routers - which typically are encountered when logging into the hotel Wi-Fi - could see terrible things happening to them. Such as? “A hacker could view, log, tamper with the traffic of users of the device,” said Clarke. “He could potentially alter the traffic. He could cause you to download malware.” Bluntly put: access an unpatched ANTLabs router that a hacker has seized control of and your computer now is his for all practical purposes.
Worse: although it is unclear how many ANTLabs routers were in fact hacked, it is known that hackers read stories like this and they use the information to stake out new targets. A router that was safe last week might not be next week because hackers well understand the lag between disclosure of a vulnerability and patching.
Is this all hyperventilating paranoia? Nope. Hackers have long stalked hotels and their guests, in part because many hotels are known to be lax about security but many guests proceed as though the opposite is true. Said Lamar Bailey, director of security firm Tripwire's Vulnerability and Exposure Research Team, “This report is very credible. This is a major vulnerability.” He too thought hotels will be slow to apply the patch.
Added Francis Turner, a vice president at security firm ThreatSTOP: “It doesn’t surprise me at all. Nobody has even thought about security on these kinds of routers.”
What can you do to protect yourself? Simple, said Turner: don’t use hotel Wi-Fi. “Use a mobile hotspot on your cellphone,” he advised. That hotspot is a secure channel. Nobody says it is perfectly secure but it is many orders of magnitude more secure than hotel WiFi.
Or do as Bailey does. He said he uses hotel Wi-Fi, but he accesses it through a Virtual Private Network (VPN) - there are many low cost, even free ones available. “It encrypts all my data,” he said. Even if a hacker were sitting on the router, it wouldn’t matter because from a VPN he would see computer nonsense. Could it be penetrated? Of course. But hackers go after low hanging fruit and few would bother with an encrypted VPN stream.
Alternatively, said the security experts, use the hotel Wi-Fi - just not for anything that involves a username and password. Want to know what’s going on in the NCAA basketball playoffs? Log in. Surf to your heart’s content. Just don’t input a username/password on hotel WiFi because in doing that you might as well just give it to every cyber criminal.
“Hotels just don’t take guest cyber security seriously,” sighed Turner.
More proof: a few months ago security firm Kaspersky released details of the so-called Darkhotel attack where hackers targeted specific hotel guests. Also a few months ago, the U.S. Dept. of Homeland Security issued a warning about malware installed in hotel business centers with the intent of stealing user credentials. Expect yet more revelations of hotel cyber insecurities, predicted the experts.
Added Tendell: “A lot of people have been hacked at hotels and just don’t know it. That’s the scariest part of all of this.”
—Written by Robert McGarvey for MainStreet