Both Bob Cromwell and I have written about the perils of using one’s computer in a hotel. Now we find that a device commonly used by hotels that provide guest Internet access can be a serious security concern.
The device is the ANTLabs InnGate. From CVE-2015-0932 it appears that the devices’ software (for which an update is available, see below) has incorrect default permissions. That is, data in this case can be read or written by anyone whether authenticated or not.
The InnGate has an open port for rsync. Rsync is a tool for keeping files in sync – that is ensuring that files on two or more computers have the same content. I’ve used rsync myself multiple times.
Suppose an attacker has a computer with bogus data. She can then synchronize it with another using rsync if that protocol is available and authentication is not required. Of course, if her computer contained malicious files, those would be sent to the target computer. This is what appears to be the case with the InnGate.
According to the advisory, ANTLabs has released updated firmware to address this issue. However, there is no indication that an end user can be sure that the firmware on the device at his or her hotel has been updated. I hope it is possible. I hope there is a note such as “Uses updated firmware to address CVE-2015-0932.” But I haven’t heard of such a notice. And asking a hotel is likely not going to yield much information. I’ve found from experience that hotels tend to outsource tech support for guest internet access (which is probably a good thing).
Cylance, the discoverers of this vulnerability, has information on it including its prevalence. I suggest reading that page.
What precautions do you take when using a computer on the road? Let us know in the comments below.
To your safe computing