Monday, 10 November 2014 10:03

Darkhotel Attack Targets Hotel Guest Wireless Networks

Written by

Reading time is around minutes.

The targeting of travelers is something that is a very old idea. To the would-be attacker you are getting a target that is not familiar with their surroundings and (in many cases) has a lot of money on them. In the “old days” the target was the cash they brought with them. This quickly changed to a number of scams to get access to their credit card numbers and the cash that they protected. Still the idea was to go after the traveler because they were easy targets when they were out and about.

Now as with many other once physical attacks travelers are being targeted, but this time they are being hit when using the guest internet systems in the hotels they are staying in. At least that is the word from Kaspersky labs. They have identified a new attack that has been dubbed darkhotel. Darkhotel seems to be both random and targeted in nature. Typically these are mutually exclusive terms, but in this case the idea is to get the malware into as many networks as possible and then target systems that are inside them.

Darkhotel is a rather complex bit of malware that consists of both network and client side components. The attackers have to breach a hotel’s network in order establish this type of client based attack. Kaspersky was not clear if the intrusion is only related to the guest side of the network or if the attackers must compromise the hotel’s property management system as well. They only state “The Darkhotel actor maintains an effective intrusion set on hotel networks”.

Now if you look at most of the leading wireless solutions for hospitality there is a connection back to the PMS system so it would see logical that some compromise of the administrative network is needed, but that the primary infection exists on the guest network. There are a multitude of ways to get this going depending on the system used and the way that Kaspersky details the attack, we will cover a couple of them.

In many hotel wireless systems there is a central client gateway that is responsible for checking guest traffic against the PMS system and allowing this traffic based on the level of service offered. These gateways have internal web servers which present the guest with a page and ask for certain information (last name and room number). The guest is asked to accept terms and conditions of use and there is a nice friendly button to click to get onto the internet. A clever attacker and compromise the gateway and alter the code behind the accept button. This will push down the malware package to the unsuspecting guest in the form of a fake update (Google, Flash etc.). Once installed the malware can download more specific tools to gather information on the guest and send it back to the attacker.

This attack method is probably the most likely as many gateways are left open to internal and external traffic. The security that prevents unauthorized access to web pages and services is not very well thought out and can be bypassed in many cases (Bash is one vector). It would allow an attacker to download the existing web pages and then replace them with their own code. It represents a specific weakness in both system design and also the way that these systems are managed.

The other option involves a complex compromise of a Hotel’s PMS system. With this in place the gateway checks the hotels system when the last name and room number is entered and the accept button is clicked. Once this is entered the system will respond to the query acknowledging the guest. At this time the malware package is pushed from an internal source or a linked external source (again as an update package). This would allow a much more targeted attack as the bad guys can parse the database and identify their target and the room number. The would know who to attack and can flag the room in the PMS system to add the package to them after check-in. This type of compromise can also get around third-party systems that control wireless access for a hotel as the compromise is not at the web server level, but embedded in the PMS system.

Option 2 is a more targeted and complex type of attack that relies on a compromised PMS system and other items in the network. It is much less likely than a web services compromise as many attackers look for the easiest method to get the job done, but it is one that is certainly plausible.

Over all the concept of Darkhotel as outlined by Kaspersky is a little frightening, but there are a few methods of protecting yourself from it. One of the biggest and first that is out there is to refuse any update that hits your system as soon as you log into a network. Another is to make sure that you have proper malware protection (something you should do anyway). Of course as the word gets out about this the means of attack and compromise will evolve to address changes in guest or hotel behavior making the probability of this attack being effective for a long time very high…

Stay safe out there.

Tell us what you think in our Forum

Read 4978 times Last modified on Monday, 10 November 2014 10:08

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.