The security vulnerability in Ariane Allegro Hotel Check-In Kiosks that exposed guest data and potentially compromised room access has been addressed with the development of a patch, enhancing the overall security of the system.
Recently, Pentagrid, a Swiss cybersecurity firm, discovered a vulnerability in the Ariane Allegro Scenario Player software program used in hotel check-in kiosks. This vulnerability allowed individuals to exit the kiosk’s intended usage and access the underlying Windows Desktop OS. Ariane Systems, the software vendor, is a leading provider of self-check-in and out solutions, serving numerous hotels and rooms globally.
During a threat modeling workshop at a hospitality brand in Liechtenstein and Switzerland, Pentagrid’s Martin Schobert revealed that the application crashed in Kiosk mode when a single quote character was entered into the guest search. This issue affected the functionality of the check-in kiosk, potentially impacting room reservations, payment processing, and access to room keys via RFID transponders.
Schobert noted that entering a name with a single-quote character would cause the application to hang, prompting the user to either wait or stop the task. If the stop option is selected, the Windows OS becomes accessible, posing potential risks such as unauthorized network access, data breaches, and the creation of room keys for other rooms. However, exploiting this vulnerability requires physical access to the system and the kiosk to be in a self-service state.
The severity of the vulnerability has been rated as medium, and a CVE is yet to be assigned for this issue. Although Ariane Systems indicated that the affected systems are legacy systems with disabled USB ports to prevent data retrieval, Pentagrid argued that the system design still allows for certain vulnerabilities.
Nevertheless, Ariane Systems has addressed the issue and released a patch to fix the vulnerability. It is recommended that users contact the vendor for further details and promptly install the latest version of the software to ensure protection against potential security risks.
John Bambenek, President of Cybersecurity and Threat Intelligence Consulting firm Bambenek Consulting, highlighted the dangers posed by the vulnerability, particularly in cases of domestic violence and theft of credit card data. He emphasized the importance of regularly updating kiosk systems to mitigate risks and advised implementing network restrictions to enhance security measures.
In conclusion, the security vulnerability in Ariane Allegro Hotel Check-In Kiosks has been addressed through the development of a patch by Ariane Systems. It is crucial for users to stay informed about software updates and maintain the latest version to safeguard against potential security threats and data breaches.