Full Report
At hacker congress this year, some of the folks found a vulnerability in the check in kiosk. Shocker! When checking in at the hotel terminal, the lookup function required an alphanumeric booking ID. When submitting an incorrect code, an error appears, as expected. When providing dashes (-), it would display all booking IDs. This appears to be a master code or a test function for debugging. The review contains a booking ID, timestamp and the total price. If you click on the room number then it would output the room number. By getting all IDs from the first bug, then you'd be able to get the room code. Yikes! Only requiring a booking ID for a room code is not great. These may be leaked by discarded invoices or print outs. How would we fix this? Further data should be required, such as an ID, passport number, PIN code that was emailed or something else. Overall, a fairly funny and old school issue.
Analysis Summary
# Vulnerability: IBIS Hotel Check-in Kiosk Arbitrary Booking/Keypad Code Disclosure
## CVE Details
- CVE ID: Not specified in the source material.
- CVSS Score: 5.3 (Medium) (Based on *AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N*)
- CWE: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) - *Inferred based on description.*
## Affected Systems
- Products: Hotel check-in terminals for IBIS Budget hotels (Specific vendor unknown, but observed on terminal ID 2711 in Hamburg Altona).
- Versions: Unspecified, but affected terminals were in use prior to January 26, 2024.
- Configurations: Terminals allowing self-service lookup of existing bookings, especially when reception is unstaffed.
## Vulnerability Description
The vulnerability resides in the booking ID lookup function of the self-service check-in kiosk. When a user attempts to look up a booking using an *incorrect* alphanumeric Booking ID, the system returns an expected error. However, submitting a sequence of dashes (specifically '------' or potentially any sufficiently long string of dashes) as the booking ID bypasses standard validation and causes the terminal to display a list of *all* active bookings. This leak includes the booking ID, arrival timestamp, and total price. Furthermore, interacting with a listed booking reveals the associated six-digit numeric room keypad code and room number. This allows an attacker with physical access to the terminal to obtain codes for other guests' hotel rooms.
## Exploitation
- Status: PoC available (Demonstration video published by the finding party).
- Complexity: Low (Requires physical access to an active terminal and inputting a specific string of dashes).
- Attack Vector: Physical
## Impact
- Confidentiality: High (Access to room numbers and security codes for physical hotel rooms).
- Integrity: None (No modification of systems or data observed).
- Availability: None (System functionality remains available).
## Remediation
### Patches
- The vendor/operator (Accor) confirmed on 2024-01-26 that the vulnerability was fixed and deployed to affected check-in terminals. Specific patch versions are not detailed.
### Workarounds
- Disable the terminal entirely until the software update is installed and verified.
- Implement mandatory logging/monitoring for failed lookup attempts.
## Detection
- **Indicators of compromise:** Unusually high volume of booking lookups originating from the terminal, especially lookups using non-standard or non-alphanumeric inputs (e.g., strings of dashes).
- **Detection methods and tools:** Monitor terminal logs for query inputs that do not conform to expected valid booking ID formats, particularly looking for strings of special characters. The presence of sensitive data (room numbers, keypad codes) displayed in terminal output logs (if available) would confirm exploitation.
## References
- Vendor advisory/Fix confirmation timeline provided by Pentagrid AG.