Hotel check-in terminal bug spews out access codes for guest rooms

A security researcher discovered a major flaw in self-service check-in terminals used by Ibis Budget hotels in Europe. The terminals were programmed to display room keycodes when a guest entered a series of dashes instead of a booking reference number. This vulnerability allowed anyone to easily obtain access codes for multiple rooms with minimal technical knowledge. The researcher was able to retrieve keycodes for 87 rooms at a single hotel, though it's unclear if this represented all the active bookings or if the bug capped the number of retrieved codes. Even with discarded printouts containing valid booking references, the bad actors could gain access to rooms.

This security lapse could have serious consequences. Thieves could steal from guests, potentially targeting rooms based on price to maximize their gains. Even more concerning is the possibility of stalkers and other malicious individuals using the stolen keycodes to endanger guests' safety. The security issue was patched within a month of discovery, but it highlights a troubling trend in hotel security vulnerabilities. This incident comes on the heels of another where millions of electronic hotel door locks were susceptible to hacking using readily available tools. These weaknesses underscore the need for the hospitality industry to prioritize robust security measures to protect their guests.

The Register 04/05/2024