Hackers may have had access to hundreds of hotels without anyone knowing

Nearly everyday, new digital glitches are discovered that could hand over all your precious data to online criminals.

So when Cylance Senior Security Researcher Justin W. Clarke called his latest finding "far-reaching and devastating," my ears perked up. He went further, "this is huge." This discovery involves a vulnerability that affects over 275 hotels globally and the Wi-Fi they provide to customers, Wired reports.

This means that anyone surfing at an affected hotel's hotspot could have had their traffic monitored or tampered. And it gets worse than that.

The vulnerability is relatively easy to execute. The issue lies in a device called an InnGate route made by the company ANTlabs. These devices are used by big organizations such as hotels and convention centers to manage guest Wi-Fi access. They "provide temporary guests access to a WiFi connection," Cylance writes in its blog.

The problem was found in a tool called the "Rsync daemon." Wired explains:

The Rsync daemon is a tool often used to backup systems since it can be set up to automatically copy files or new parts of files from one location to another. Although the daemon can be password-protected, the ANTlabs device that uses it requires no authentication.

So an attacker can connect with this tool, which does not require a password or any other safeguard, and can then gain access to the entire operating system of the router. "This vulnerability would provide an attacker the ability to use this in-gate device for anything they want," Clarke said.

This is big for two reasons: One, these routers are widespread and used all over the world. Of the 277 devices Clarke discovered with the vulnerability over 100 of them were located in the US. And most of the companies affected were large hotel chains. Cylance cannot disclose which hotels were affected, and Clarke said to me that they informed all the parties involved so they could patch the issue.

The other reason is because this may not only affect Wi-Fi traffic. To understand this point, it's important to know that the hotel industry is working on modernizing its systems. This means that all records are being put online, and the most advanced hospitality companies are trying to streamline customer access by connecting networks.

To do this, hotels use what's called a Property Management System (PMS), which is a platform to put all hotel necessities at the companies' fingertips. A PMS has access to guest bookings, personal details, reservations, sales, and payroll, to name just a few. Some hotels, it turns out, have their PMS integrated into InnGate devices. This was most likely done to streamline amenities. For instance, if one guest was supposed to get free Wi-Fi, the front desk could use the PMS to give them that access.

But if a PMS is connected to the router that gave attackers free reign to the file system, the hackers can get even more information other than Wi-Fi traffic. They can gain access to records, room numbers, and even use the access of one router to infect other branches that wouldn't have otherwise been affected.

So now you can see why this is big.

This vulnerability is reminiscent of DarkHotel, a sophisticated online attack discovered last year that targeted "high-profile hotel guests" by using the hotel's network. In fact, it's quite possible that the DarkHotel attackers used this exact InnGate router issue to do the damage they did. All the same, both revelations show huge hospitality security issues.

Hotels are now scrambling to fix this huge security hole. But the problem is that many hotels aren't the most technologically savvy. This means they may not even understand the gravity of the problem. Clarke explained that many hotel employees may have no idea what an InnGate router is, as it's one of many seemingly innocuous networking equipment machines: "The hospitality folks say we need some Wi-Fi for our guests and all they know is that a DSL line goes in."

Does this mean that you should never use hotel Wi-Fi? Clarke wouldn't go that far. He said that he himself wouldn't check his bank account at a hotel, but neither would he do it at cafe. What this emphasizes is that hostile public internet environments are getting even more hostile. Hackers have broken into two large insurance companies in the past few months, not to mention the myriad payments breaches of the last two years.

This gives normal people a wake-up call about how easy it is for hackers to get your information, but it also may be good in the long run. "I wonder if this is going to at least help a little bit to push along the hospitality industry to look at their security posture," he said.