back to article Hotel check-in terminal bug spews out access codes for guest rooms

A self-service check-in terminal used in a German Ibis budget hotel was found leaking hotel room keycodes, and the researcher behind the discovery claims the issue could potentially affect hotels around Europe. The terminal's security flaw could be abused by anyone, requiring no technical knowledge or specialized tooling. …

  1. abend0c4 Silver badge

    Single out the wealthiest guests

    I suspect the first step in that pursuit is to seek out a hotel where you're checked in by a uniformed flunky and not by a machine.

    However, it's a pretty staggering flaw. Just as well there was a cybersecurity conference in town.

    1. John Brown (no body) Silver badge

      Re: Single out the wealthiest guests

      I the case of Ibis, I didn't think they had various grades of rooms and pricing and were a pretty basic, minimal frill chain under the Accor brand, which I think has about 20 different brands under it's umbrella.

      1. abend0c4 Silver badge

        Re: Single out the wealthiest guests

        Accor has sliced the market into such thin segments it's difficult to know what purpose some of them serve. For example even the Ibis brand has Ibis Budget and Ibis Styles variants. However, you'd assume each segment has a clearly-identified target consumer.

        That's not to say the prices are directly linked as they're also determined by demand: a Novotel or, particularly, Mercure (the next segment up) might be cheaper than an Ibis if the latter is handier for a particular event.

  2. YetAnotherLocksmith
    FAIL

    As I've so often said before, the problem with electronic locks is, is there another key? You can never tell, unlike a mechanical lock.

    1. Tom 38

      the problem with electronic locks is, is there another key? You can never tell, unlike a mechanical lock.

      How do you tell with a mechanical lock?

    2. IGotOut Silver badge

      Sure, it's not like you could go down the local key cutting service and clone a key.

    3. VicMortimer Silver badge

      Right, with a mechanical lock, you KNOW there's another key.

      www.originallishi.com

      1. vtcodger Silver badge

        You know there's another key

        As well as, quite likely, one or more physical "master" keys that open (most?) every door in the place.

        Of course, I wouldn't be surprised that there are master electronic keys in more modern establishments with electronic locks. as well. BTW, if the power fails, do those nifty electronic locks, lock everyone out/in or default to unlocked?

        1. John Brown (no body) Silver badge

          Re: You know there's another key

          "Of course, I wouldn't be surprised that there are master electronic keys in more modern establishments with electronic locks. as well."

          Well, yes. Every member of the housekeeping staff have one for starters. Probably reception staff too.

          1. Michael Wojcik Silver badge

            Re: You know there's another key

            Exactly. Hotel rooms are secure against casual attempts to gain entrance, at best. That's all they're designed for.

            That doesn't mean we should ignore exploits like these — at the very least, they tell us something useful about the vendors (i.e. their secure-development practices suck). And publicizing this sort of thing will somewhat increase the pool of potential attackers; not everyone wants to social-engineer access to a room, or lift a keycard from a staff member, or what have you. But the actual delta in security for a typical hotel guest is fairly small.

  3. YetAnotherLocksmith

    As I've said before, the problem with electronic locks is always "Is there another key?" With a mechanical lock, you can tell.

    1. VicMortimer Silver badge

      Yep. You KNOW it exists with a mechanical lock. No need to wonder.

  4. YetAnotherLocksmith
    FAIL

    As I've said so often before, the problem with electronic locks is "Is there another key?" With a mechanical lock, I can tell you.

  5. YetAnotherLocksmith
    FAIL

    As I've said so often before, the problem with electronic locks is "Is there another key?" With a mechanical lock, I can tell you.

    (6th time of trying to post this, what's going on?)

    1. Rosie Davies
    2. VicMortimer Silver badge
      Devil

      Yep. You KNOW with a mechanical lock there's ALWAYS another key. No need to wonder.

      www.originallishi.com

      (6th time replying to this silliness, because you keep posting it.)

      1. Michael Wojcik Silver badge

        I have to admit, though, after reading it six times, I'm still really wondering just what OP means. It's like some sort of lock-related koan, but even with slippers on my head, I don't get it.

    3. yetanotheraoc Silver badge

      "As I've said so often before"

      Exactly.

    4. Phones Sheridan Silver badge

      This has happened to me a couple of times, it turns out had I gone to the My Posts section, I would have noticed the post was "awaiting moderation". Something had flagged it up, and none of my posts made between that one, and the most recent were visible. Then they were.

      1. Michael Wojcik Silver badge

        Usually there's a pop-up banner that notes the post is flagged for moderation, but it disappears pretty quickly. So, yes, if you were expecting to see your post and don't, it's a good idea to have a quick look at "My Posts". (That is, click the "My Posts" link. It's always a good idea to read my posts, of course, but carefully and with a quiet sense of awe, rather than quickly.)

  6. Mike 137 Silver badge

    "Accor Security, the security arm of Accor, which owns the Ibis Budget chain"

    I'm amazed they even have a "security arm" as their general level of tech maintenance is in my experience appalling. Booking into an Accor hotel in a European capital on a business trip for a week a few years back, I found that the telephone and the wireless comms were dead and the kettle was burnt out. Reported immediately, but none were fixed by the end of my stay.

    1. agurney

      Re: "Accor Security, the security arm of Accor, which owns the Ibis Budget chain"

      ...and the kettle was burnt out. Reported immediately, but none were fixed by the end of my stay.

      That's been addressed. Last time I was in Accor (Sheffield IIRC) they didn't provide kettles.

      1. VicMortimer Silver badge

        Re: "Accor Security, the security arm of Accor, which owns the Ibis Budget chain"

        That's an improvement.

        Hotels wipe the kettle with the same rag they use to wipe the toilet.

        1. Sandtitz Silver badge
          Trollface

          Re: "Accor Security, the security arm of Accor, which owns the Ibis Budget chain"

          "Hotels wipe the kettle with the same rag they use to wipe the toilet."

          They do? I have to find another place to wash my socks and unmentionables from now on.

          1. Neil Barnes Silver badge

            Re: "Accor Security, the security arm of Accor, which owns the Ibis Budget chain"

            Is that what they mean by 'sanitise your input'? I wonder if the rooms have Bobby Tables?

        2. I am David Jones Silver badge
          Alert

          Re: "Accor Security, the security arm of Accor, which owns the Ibis Budget chain"

          I think it was either QI or room 101 where Sandy Toksvig was told that peeing in hotel kettles was a thing.

          The mind boggles

    2. An_Old_Dog Silver badge

      Re: "Accor Security, the security arm of Accor, which owns the Ibis Budget chain"

      Accor Security is the head office receptionist, under her job description item, "5%: other duties as assigned".

      1. sgp

        Re: "Accor Security, the security arm of Accor, which owns the Ibis Budget chain"

        Always travel with your own kettle!

  7. heyrick Silver badge

    there's no evidence to suggest this was actually exploited in the real world

    Well, now that everybody knows to just enter a bunch of dashes...

    Oh, and that's the problem with electronic "solutions", there's generally no audit trail worth a damn. If I go to a hotel, enter some dashes, get the access codes to two rooms... unless I'm caught in those rooms or stuff is known to be missing, who is going to know? I doubt security recordings are looked at unless there's a problem and I doubt the machine keeps a detailed enough log of user interaction to even manage to implicate itself, never mind me.

  8. Winkypop Silver badge

    Dash it all

    The room safe is probably opened by entering a series of *

  9. Frank Bitterlich

    "It should be said, however, there's no evidence to suggest this was actually exploited in the real world."

    Sure, maybe "no evidence", but still "highly likely", because such things are being found out invariably – either by accident or by trying – and once found out, these tricks will be making the rounds. To pranksters, creeps, criminals, and sleuths.

    The usual playing down of these flaws. I'm surprised by the missing "Ibis Hotels takes the safety and security of our guests very seriously."

    $sql = sprintf("select * from BOOKINGS where BOOKINGCODE like '%s'", str_replace("-", "%", $entered_code));

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like