Self check-in kiosks at Ibis Budget hotels in Germany and other European countries may have been affected by a vulnerability that exposed keypad codes which could be used to enter rooms, Swiss IT security assessment firm Pentagrid said on Tuesday.
The Ibis Budget brand is owned by French hospitality giant Accor. According to the company’s website, there are 600 Ibis Budget hotels across 20 countries.
In late 2023, Pentagrid hackers discovered a vulnerability in the self check-in terminal present at an Ibis Budget hotel in Germany, but they believe the flaw likely impacted other hotels as well.
Accor was immediately notified and the company informed Pentagrid within a month that it had rolled out patches to affected devices.
The impacted kiosks allow Ibis Budget hotel customers to check into their room when no staff is present. The customer is asked to enter the booking ID and the terminal displays the associated room number and the door keypad code that can be used to enter the room.
Pentagrid discovered that by entering a series of dashes instead of the booking ID, the terminal displayed a list of current bookings. Tapping on a booking showed the room number and the keypad access code, which, according to Pentagrid, remains unchanged during the customer’s stay at the hotel. The exposed access codes could have been used by an attacker to enter rooms.
The security firm’s researchers believe this was likely a bug or a test function that the vendor forgot to deactivate, rather than a master code designed to provide access to all the bookings.
The researchers conducted a Google search for images of check-in kiosks at Ibis Budget hotels. The search returns dozens of results, particularly for hotels in Germany and France.
Pentagrid said it’s unclear which company makes the impacted kiosks.
In order to exploit the vulnerability, an attacker would have needed physical access to the targeted terminal, with the device being set to allow self-service, which is most likely during the night, the researchers noted.
“Access to hotel rooms would allow the theft of valuables, especially if low-budget hotel rooms are not equipped with a room safe,” Pentagrid said in a blog post describing its findings.
SecurityWeek has reached out to Accor for comment and will update this article if the company responds.
Related: Unpatched Sceiner Smart Lock Vulnerabilities Allow Hackers to Open Doors
Related: Saflok Lock Vulnerability Can Be Exploited to Open Millions of Doors
Related: Axis Door Controller Vulnerability Exposes Facilities to Physical, Cyber Threats
