Staying in a Hotel? Here’s one more Cyber Security Issue to Worry About.

Hotel KeyBoth Bob Cromwell and I have written about the perils of using one’s computer in a hotel. Now we find that a device commonly used by hotels that provide guest Internet access can be a serious security concern.

The device is the ANTLabs InnGate. From CVE-2015-0932 it appears that the devices’ software (for which an update is available, see below) has incorrect default permissions. That is, data in this case can be read or written by anyone whether authenticated or not.

The InnGate has an open port for rsync. Rsync is a tool for keeping files in sync – that is ensuring that files on two or more computers have the same content. I’ve used rsync myself multiple times.

Suppose an attacker has a computer with bogus data. She can then synchronize it with another using rsync if that protocol is available and authentication is not required. Of course, if her computer contained malicious files, those would be sent to the target computer. This is what appears to be the case with the InnGate.

According to the advisory, ANTLabs has released updated firmware to address this issue. However, there is no indication that an end user can be sure that the firmware on the device at his or her hotel has been updated. I hope it is possible. I hope there is a note such as “Uses updated firmware to address CVE-2015-0932.” But I haven’t heard of such a notice. And asking a hotel is likely not going to yield much information. I’ve found from experience that hotels tend to outsource tech support for guest internet access (which is probably a good thing).

Two Steps to Protect Your System in a Hotel

  1. It is important to set all privileges (default and otherwise) at the lowest level necessary to accomplish the tasks for which a system or package is designed. This is the principle of Least Privilege. It is an essential design factor for secure systems. We discuss it at length in Learning Tree’s System and Network Security Introduction.
  2. If you are going to use a computer in a hotel room, be very careful. Use encryption whenever possible (e.g. a VPN and SSL) and be sure to have all anti-malware tools on your computer enabled.

Cylance, the discoverers of this vulnerability, has information on it including its prevalence. I suggest reading that page.

What precautions do you take when using a computer on the road? Let us know in the comments below.

To your safe computing
John McDermott

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.