Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Hotel Self Check-In Kiosks Exposed Room Access Codes

Self check-in kiosks at Ibis Budget hotels were affected by a vulnerability that exposed keypad codes that could be used to enter rooms. 

Self check-in kiosks at Ibis Budget hotels in Germany and other European countries may have been affected by a vulnerability that exposed keypad codes which could be used to enter rooms, Swiss IT security assessment firm Pentagrid said on Tuesday.

The Ibis Budget brand is owned by French hospitality giant Accor. According to the company’s website, there are 600 Ibis Budget hotels across 20 countries. 

In late 2023, Pentagrid hackers discovered a vulnerability in the self check-in terminal present at an Ibis Budget hotel in Germany, but they believe the flaw likely impacted other hotels as well. 

Accor was immediately notified and the company informed Pentagrid within a month that it had rolled out patches to affected devices. 

The impacted kiosks allow Ibis Budget hotel customers to check into their room when no staff is present. The customer is asked to enter the booking ID and the terminal displays the associated room number and the door keypad code that can be used to enter the room.  

Pentagrid discovered that by entering a series of dashes instead of the booking ID, the terminal displayed a list of current bookings. Tapping on a booking showed the room number and the keypad access code, which, according to Pentagrid, remains unchanged during the customer’s stay at the hotel. The exposed access codes could have been used by an attacker to enter rooms.

The security firm’s researchers believe this was likely a bug or a test function that the vendor forgot to deactivate, rather than a master code designed to provide access to all the bookings.  

The researchers conducted a Google search for images of check-in kiosks at Ibis Budget hotels. The search returns dozens of results, particularly for hotels in Germany and France. 

Pentagrid said it’s unclear which company makes the impacted kiosks. 

Advertisement. Scroll to continue reading.

In order to exploit the vulnerability, an attacker would have needed physical access to the targeted terminal, with the device being set to allow self-service, which is most likely during the night, the researchers noted. 

“Access to hotel rooms would allow the theft of valuables, especially if low-budget hotel rooms are not equipped with a room safe,” Pentagrid said in a blog post describing its findings

SecurityWeek has reached out to Accor for comment and will update this article if the company responds.

Related: Unpatched Sceiner Smart Lock Vulnerabilities Allow Hackers to Open Doors

Related: Saflok Lock Vulnerability Can Be Exploited to Open Millions of Doors

Related: Axis Door Controller Vulnerability Exposes Facilities to Physical, Cyber Threats

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.