In the words of Cylance Senior Security Researcher Justin W.Clarke, “This vulnerability would provide an attacker the ability to use
this InnGate device for anything they want.”
Hackers could infect hotel guests’ computers with malware
and read all of their plaintext communication; an industrious hacker could
access encrypted communication by exploiting OpenSSL vulnerabilities.
To exacerbate the threat, several of the compromised hotels had
linked their InnGate devices with their Property Management Systems (PMS),
giving hackers access to just about everything, including guest reservations,
points of sale, HR and payroll, and sales and marketing. WIRED
highlighted the severity of this situation by reminding readers that the 2011 assassination of a Hamas
official was successful because of a reprogrammed electronic hotel room lock.
What is most noteworthy, however, is that no one is looking
to blame the hotels, ANTlabs, or even hackers for this vulnerability. The
hotels—though displayed on a map
and said to run the cost gamut—remain anonymous; CVE-2015-0932 itself was discovered
in February, but not made public until hotels were informed and a corrective firmware update could be
released. Rather than question ANTlabs' credibility, Cylance applauded the vendor's rapid response to CVE-2015-0932. The vulnerability was old news before it could even be news.
CVE-2015-0932 is already a thing of the past and, as such,
lives on merely as a reminder. We expect to have access to public Wi-Fi
everywhere we go; when we choose to use it carelessly, we cannot blame the
hardware, the provider, or the hacker who stole our credit card information. We
can only blame ourselves.
We live in a world in which neither
government nor business will guarantee internet privacy. According to Business Insider, security experts like Clarke turn to VPN services when on public
Wi-Fi. Take matters into your own hands and do the same.
No comments:
Post a Comment