A recent discovery by Pentagrid security researcher Martin Schobert has shed light on a critical software vulnerability in Ariane Systems’ kiosk platform, putting the personal data of hotel guests at risk. Through a flaw in the kiosk mode bypass (CVE-2024-37364, CVSS 3.0 score 6.8), attackers could potentially access locally stored reservations, invoices, and personally identifiable information (PII) of guests using the check-in terminals equipped with the software. This vulnerability could have far-reaching consequences as Ariane boasts over 3,000 installations worldwide, making it a prime target for malicious actors.
According to Schobert, the vulnerable terminals running Ariane Allegro Scenario Player could also be exploited to create room keys for other hotel rooms. By exploiting the flaw, attackers could potentially access the system’s Windows desktop, giving them the ability to execute code and manipulate data stored on the network. Physical access to a check-in terminal is required for such an attack, but with the right preparation, an attacker could quickly compromise the system and gain unauthorized access.
John Bambenek, president at Bambenek Consulting, emphasized the importance of proper physical monitoring for kiosk terminals to prevent such incidents. He recommended keeping the kiosks in highly visible areas with antivirus surveillance and limiting public access to anything other than the touchscreen. These measures, along with isolating the terminals on a separate network segment, could significantly reduce the risk of unauthorized access to sensitive data.
Another expert, John Gallagher, vice president of Viakoo Labs at Viakoo, highlighted the multiple risks associated with unauthorized access to hotel check-in terminals. This includes the potential for lateral movement to other systems on the network, data capturing applications being installed on the kiosk, and even gaining access to occupied rooms by exploiting the vulnerability. Updating the kiosk software to the latest version of the Ariane Allegro Scenario Player is crucial to addressing the software flaw and preventing future attacks.
Ariane has informed Pentagrid that the vulnerability has been fixed in a new version of the Allegro Scenario Player, but the exact version in which the problem was patched remains undisclosed. Hotel operators are urged to ensure that all check-in terminals are running the latest software version to mitigate the risk of exploitation. In addition to regular patching, organizations should implement network isolation for IoT devices, such as placing terminals on a separate VLAN or network segment, to enhance security measures.
Overall, the discovery of this vulnerability in Ariane Systems’ kiosk platform serves as a reminder of the importance of maintaining secure and up-to-date software to protect sensitive data and prevent unauthorized access. By taking proactive measures to secure check-in terminals and implementing robust security practices, hotel operators can safeguard their guests’ personal information and maintain the trust of their customers.