A software vulnerability in Ariane Systems’ kiosk platform [1] [2], known as a kiosk mode bypass flaw (CVE-2024-37364) [1], was discovered by security researcher Martin Schobert in March [1].

Description

This vulnerability, with a CVSS 3.0 score of 6.8 [1], allows attackers to access hotel guest data through check-in terminals [1] [2]. Malicious actors could potentially access reservations [1], invoices [1] [2], and personally identifiable information (PII) stored on the terminals. Additionally, attackers could create room keys for other hotel rooms using RFID transponders on the terminals [2]. Physical access to the terminal is required for the attack [2], emphasizing the importance of proper physical monitoring to prevent incidents. Recommendations include placing kiosks in highly visible areas [2], limiting access to the touchscreen [2], and isolating terminals on separate network segments [2]. The vulnerability has been fixed in a new version of the Allegro Scenario Player [2], but organizations should ensure all terminals are running the latest software version and implement network isolation for IoT devices [2]. Incident response plans are essential for addressing security breaches quickly [2]. Ariane Systems [1] [2], described as the world’s leading provider of automatic check-in and check-out solutions for the hotel industry [1], has over 3,000 installations [1].

Conclusion

This vulnerability poses a significant risk to hotel guest data security and highlights the importance of implementing proper security measures. Organizations should ensure all terminals are updated with the latest software version and implement network isolation for IoT devices to mitigate the risk of exploitation. Incident response plans are crucial for addressing security breaches promptly and effectively. Moving forward, continuous monitoring and updating of security measures are essential to prevent similar vulnerabilities in the future.

References

[1] https://cargreen.es/2024/06/08/bl-wlv/rtsd320707ltcu19uihtml/hotel-check-in-kiosks-expose-guest-data-and-room-keys
[2] https://www.darkreading.com/vulnerabilities-threats/hotel-check-in-kiosks-expose-guest-data-room-keys