Hotel Self Check-In Kiosks Exposed Room Access Codes

Share This Post

Self check-in kiosks at Ibis Budget hotels in Germany and other European countries may have been affected by a vulnerability that exposed keypad codes which could be used to enter rooms, Swiss IT security assessment firm Pentagrid said on Tuesday.

The Ibis Budget brand is owned by French hospitality giant Accor. According to the company’s website, there are 600 Ibis Budget hotels across 20 countries. 

In late 2023, Pentagrid hackers discovered a vulnerability in the self check-in terminal present at an Ibis Budget hotel in Germany, but they believe the flaw likely impacted other hotels as well. 

Accor was immediately notified and the company informed Pentagrid within a month that it had rolled out patches to affected devices. 

The impacted kiosks allow Ibis Budget hotel customers to check into their room when no staff is present. The customer is asked to enter the booking ID and the terminal displays the associated room number and the door keypad code that can be used to enter the room.  

Pentagrid discovered that by entering a series of dashes instead of the booking ID, the terminal displayed a list of current bookings. Tapping on a booking showed the room number and the keypad access code, which, according to Pentagrid, remains unchanged during the customer’s stay at the hotel. The exposed access codes could have been used by an attacker to enter rooms.

The security firm’s researchers believe this was likely a bug or a test function that the vendor forgot to deactivate, rather than a master code designed to provide access to all the bookings.  

The researchers conducted a Google search for images of check-in kiosks at Ibis Budget hotels. The search returns dozens of results, particularly for hotels in Germany and France. 

Pentagrid said it’s unclear which company makes the impacted kiosks. 

Advertisement. Scroll to continue reading.

In order to exploit the vulnerability, an attacker would have needed physical access to the targeted terminal, with the device being set to allow self-service, which is most likely during the night, the researchers noted. 

“Access to hotel rooms would allow the theft of valuables, especially if low-budget hotel rooms are not equipped with a room safe,” Pentagrid said in a blog post describing its findings

SecurityWeek has reached out to Accor for comment and will update this article if the company responds.

Related: Unpatched Sceiner Smart Lock Vulnerabilities Allow Hackers to Open Doors

Related: Saflok Lock Vulnerability Can Be Exploited to Open Millions of Doors

Related: Axis Door Controller Vulnerability Exposes Facilities to Physical, Cyber Threats

This post was originally published on this site

More Articles


Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.


BFU – Seeing is Believing

Oh no, the device is in BFU. This is the common reaction; a device needs extracting, and you find it in a BFU state. Often, there’s an assumption that a BFU extraction will only acquire basic information, but that isn’t always the case.