In one of the German hotels IBIS in self-service terminals, a security flaw was discovered that allowed access to access codes for rooms. Researchers believe that this issue could affect many other hotels across Europe.
The hotel terminals designed for self-service check-ins not only allowed guests to check into their rooms but also provided information about existing reservations. The identified security flaw made it possible for anyone, without special knowledge or tools, to obtain access codes by entering a sequence of six dashes as a reservation number.
Martin Schoobert from the Swiss cybersecurity company Pentagrid, who uncovered this vulnerability, was able to access data from 87 reservations at the IBIS Budget Hamburg Hotel. The system was disclosing reservation details, including current access codes to rooms and their costs, which could potentially lead to thefts and other security breaches.
Accor Security, responsible for the safety of the IBIS Budget hotel network, acknowledged the vulnerability and promptly developed and implemented a software update for all affected terminals. The security flaw was patched within a month of its discovery.
This incident is just one of several security issues that have recently been discovered in hotels. Previously, researchers found vulnerabilities in Saflock locks, impacting approximately 3 million hotel doors globally, as well as other IT issues affecting reservation systems, payment processes, and access systems in hotels across different networks.