A recent investigation by Pentagrid AG unveiled a significant security flaw at an IBIS Budget hotel, which exposed room keypad codes through its check-in terminal.
IBIS Hotels is a prominent brand within the AccorHotels group, offering budget-friendly accommodations worldwide. The brand is known for providing comfortable, well-designed, affordable hotel experiences in key locations across cities and airports.
The vulnerability, discovered after a hacker congress in Hamburg, allowed almost half of the hotel's room codes to be accessed by inputting a specific non-alphanumeric booking number into the terminal. This breach raised concerns over the potential theft of valuables from hotel rooms, especially given the absence of safes in low-budget accommodations.
The security flaw identified in Hamburg's IBIS Budget hotel could have implications for other establishments within the IBIS network or even broader, as it highlights the potential vulnerabilities in the automated check-in systems used across the hotel industry. If similar systems with the same or related software vulnerabilities are deployed elsewhere, other locations could be at risk until those vulnerabilities are addressed.
Upon discovery of the security flaw on December 31, 2023, immediate action was taken. The issue was promptly reported to the hotel's franchisee, Sczygiel Hotelmanagement GmbH, and the hotel chain operator, Accor. Despite initial challenges, Accor confirmed by January 26, 2024, that the vulnerability was replicated and fixed, and updates were deployed to the affected terminals, ensuring the security of the hotel's guests.
This security lapse was traced to a feature allowing guests to look up their room number and keypad code using a booking ID. However, entering a specific sequence of dashes instead of a booking ID prompted the terminal to display other guests' booking details, including room numbers and access codes.
Pentagrid
This flaw was attributed to a likely bug or an un-deactivated test function within the terminal's software. The vulnerability, rated medium with a CVSS score of 5.3, underscores the delicate balance between customer convenience and security in automated service terminals.
Pentagrid AG's report also highlights the broader implications of such vulnerabilities, emphasizing the need for robust security measures that require additional authentication beyond basic booking information to prevent unauthorized room access.
Recommendations include updating the terminal's software to require more detailed verification and turning off the terminal until patches are applied. This incident serves as a reminder of the ongoing challenges in securing self-service technologies in the hospitality industry.
Most Password Managers Store Secrets in Plaintext in Memory
Hi Alex, thank you for your article, my partner and I booked into the Ibis hotel Sarrebourgh today and payed by credit card on arrival and checked into our room without a problem however when we came back after a dinner out we could not access the building or our room as the access code was no longer accepted. Thankfully another client allowed us into the hotel however we could not access our room or our luggage including private papers etc …..
When we were finally able to contacted the hotel chain they we very adamant that we were booked into a completely different room. It wasn’t until they had someone ( a staff member)attend that we could access our original room, thankfully our baggage was intact but a very disappointing experience.
I closing it would appear that there is still an issue with the booking system at Ibis and thought you might be interested
PS
We are here on holidays from Australia and don’t speak French so the French directions for assistance in the foyer of the hotel didn’t help us much either 😂.
Oh wow, thanks for sharing Bryan.