HQ/EMEAFind out how we can help your business
The widely used self-check-in system, Ariane Systems, is vulnerable to a kiosk mode bypass weakness that could provide access to customers’ personal information and keys to adjacent rooms.
These terminals allow guests to book and check into the hotel themselves, process payments through a POS subsystem, print invoices, and provision RFID transponders used as room keys.
Earlier this year, a researcher discovered it could bypass the Ariane Allegro Scenario Player running in kiosk mode on the hotel’s self-check-in terminal and access the underlying Windows desktop with all client information. Despite several attempts to notify the vendor about this bug, the researcher has yet to receive a response regarding the firmware version that addresses the issue.
Moreover, the researcher noticed that the application hangs when attempting to enter a single quote on the terminal’s reservations look-up screen. Next, when a user touches the screen again, the underlying Windows operating system allows the option to quit the app’s process, ending the Ariane Allegro Scenario Player and allowing access to the desktop.
From there, the user can access any data stored on the device, including reservation entries containing personally identifiable information (PII) and bills.
The bug in Ariane Systems, which is employed by small—to medium-sized enterprises, could impact a significant number of individuals.
The susceptible terminals that run on Ariane Systems are often used in small—to medium-sized enterprises when employing check-in staff around the clock would be prohibitively expensive for the firm.
According to Ariane Systems, its self-checkout solutions are currently employed by 3,000 hotels in 25 countries, totalling over 500,000 rooms. In addition, its clients include one-third of the world’s top 100 hotel brands.
Since uncovering the problem in early March, the bug discoverer has attempted to submit his findings to Ariane several times but received a brief answer saying that the concerns had been resolved.
Currently, it is unknown which version of the application fixes the vulnerability, how many terminals are utilising a vulnerable version, and which hotel chains are impacted.
Still, Ariane Systems remained negligent in sharing information regarding their company’s repair attempt. Hotel operators employing Ariane Systems terminals should temporarily separate the self-check-in machines from the hotel network and other essential systems and contact the manufacturer to discover if they are running a secure version.
