An internet gateway that many hotels use to provide their guests with Wi-Fi connectivity is flawed to the point where a malicious actor could exfiltrate sensitive and personally identifiable data on them, researchers have claimed.
Etizaz Mohsin discovered that the gateway, called Airangel HSMX Gateway, contains hardcoded passwords that were “extremely easy to guess”.
With these passwords, a malicious actor could access the gateway’s database with all the data on the people using the network, including the guest’s name, room number, and email address and possibly also be able to redirect users to other websites.
Malls, hotels, convention centers at risk
In total, the researcher found five vulnerabilities he believes could compromise the gateway and put users and their endpoints at risk.
Reaching out to Airangel for comment, the company allegedly told Mohsin the device was discontinued in 2018 and is no longer supported - meaning the bugs still haven’t been fixed.
Mohsin says the device is still “widely” used by hotels, malls, as well as convention centers around the world, and internet scans have shown at least 600 accessible devices. The final number could be a lot higher, with the majority of at-risk hotels are in the UK, Germany, Russia, and the Middle East.
“Given the level of access that this chain of vulnerabilities offers to attackers, there is seemingly no limit to what they could do,” Mohsin told TechCrunch.
Public Wi-Fi networks, such as those found in hotels, cafes, libraries, or airports, are generally considered a security risk. Cybersecurity researchers have been warning for years how people should refrain from doing certain things while connected to these networks - like paying for services, using social media accounts, or accessing business email.
To remain secure while browsing, users are advised to deploy a virtual private network (VPN (opens in new tab)), as it masks the IP address of the user and encrypts the connection, making online actions basically untraceable and more secure.
- You might also want to check out our list of the best proxies right now
Via: TechCrunch (opens in new tab)