Self-registration systems from Ariane Systems, installed in thousands of hotels around the world, open access to personal data of guests and keys to numbers.
Self-registration terminals allow guests to book rooms on their own and register at the hotel, manage the payment process through a POS system, print bills, and receive RFID clogging from numbers.
In March 2024, security researcher from Pentagrid Martin Schoblet discovered the vulnerability in Ariane allegro Scenario Player, working in kiosk regime at the self-registration terminal. Despite attempts to report this to the supplier, the researcher did not receive a proper answer regarding the firmware version to address the issue.
Schobert found that entering a single quotation mark on the reservation screen caused the application to hang. By touching the screen again, it allowed access to the Windows desktop with all customer data, including reservations with personal information of guests.
The ability to execute program code on the vulnerable terminals could potentially create keys to other numbers since the terminal includes the functionality to create RFID transponders.
Vulnerable terminals are commonly used in small and medium hotels due to cost constraints. Ariane Systems’ self-registration solutions are utilized in 3,000 hotels across 25 countries, totaling over 500,000 rooms and counting 30 of the top 100 international hotel networks as clients.
Schoblert has tried to report the issue to Ariane Systems since early March 2024 but received brief answers claiming the problems were resolved. The specific version that eliminates the vulnerability, the number of terminals using the vulnerable version, and the affected hotel networks remain unknown.
Ariane Systems stated that the problem was fixed in the new version of Allegro Scenario Player and advised hotels to ensure the latest software version is installed and to isolate the terminals from the hotel network to prevent potential attacks.
In April 2024, Schoblet identified a similar issue with the self-registration terminal at a German IBIS hotel, where entering six consecutive hyphens for the reservation number disclosed reservation data like price, room number, and access codes.