Your hotel Wi-Fi network may have some serious security flaws

Person Plugging in Ethernet Cable
(Image credit: Gorodenkoff / Shutterstock)

An internet gateway that many hotels use to provide their guests with Wi-Fi connectivity is flawed to the point where a malicious actor could exfiltrate sensitive and personally identifiable data on them, researchers have claimed.

Etizaz Mohsin discovered that the gateway, called Airangel HSMX Gateway, contains hardcoded passwords that were “extremely easy to guess”. 

With these passwords, a malicious actor could access the gateway’s database with all the data on the people using the network, including the guest’s name, room number, and email address and possibly also be able to redirect users to other websites.

Malls, hotels, convention centers at risk

In total, the researcher found five vulnerabilities he believes could compromise the gateway and put users and their endpoints at risk.

Reaching out to Airangel for comment, the company allegedly told Mohsin the device was discontinued in 2018 and is no longer supported - meaning the bugs still haven’t been fixed. 

Mohsin says the device is still “widely” used by hotels, malls, as well as convention centers around the world, and internet scans have shown at least 600 accessible devices. The final number could be a lot higher, with the majority of at-risk hotels are in the UK, Germany, Russia, and the Middle East.

“Given the level of access that this chain of vulnerabilities offers to attackers, there is seemingly no limit to what they could do,” Mohsin told TechCrunch.

Public Wi-Fi networks, such as those found in hotels, cafes, libraries, or airports, are generally considered a security risk. Cybersecurity researchers have been warning for years how people should refrain from doing certain things while connected to these networks - like paying for services, using social media accounts, or accessing business email. 

To remain secure while browsing, users are advised to deploy a virtual private network (VPN), as it masks the IP address of the user and encrypts the connection, making online actions basically untraceable and more secure.

  • You might also want to check out our list of the best proxies right now

Via: TechCrunch

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.