Kareem Chehayeb reports:
Pakistani cybersecurity researcher Etizaz Mohsin was in a hotel room in Qatar when he unexpectedly discovered a technical vulnerability in its internet system that exposed the private information of hundreds of hotels and millions of guests worldwide.
[…]
“I found out that there is a service running rsync [file synchronization tool], which allows me to dump the files of the device to my own computer,” Mohsin explained. “I was able to access the sensitive information of all other hotels which were using the FTP [file transfer protocol] server for backup purposes.”
From his hotel room he was able to obtain network configurations of 629 major hotels across 40 countries, and the personal information of millions of guests, including their room numbers, emails, and dates they checked in and out of the hotel.
This reminds me of the Accellion breach, where the firm had stopped updating its software but a lot of customers had not upgraded or updated to the new software. Al Jazeera reports that the hotels in question all use an internet system called HSMX Gateway by British company AirAngel. That firm reportedly stopped updating the software in November of 2020 and encouraged clients to switch to its newer service called Captivnet. There is an undated statement on their website that says, in part:
A number of HSMX security vulnerabilities were published in December 2021. We are advising the few remaining HSMX gateway users to disable remote access, remove HSMX from their networks and to replace with Captivnet.
Were these issues and recommendations also mailed to customers in December? Are customers being mailed now to stress the need to replace HSMX?
According to the researcher, more than half of the hotels that were compromised continue to use the older service.
Read more at Al Jazeera.