Etizaz Mohsin, a Pakistani cybersecurity researcher, was in a hotel room in Qatar when he accidentally discovered a technical vulnerability in the company's internet infrastructure, compromising the personal information of hundreds of hotels and millions of tourists worldwide.
Mohsin explained, “I discovered that there is an rsync [file synchronisation tool] service running on the device that allows me to dump the device’s files to my own computer. I was able to gain access to all other hotels’ sensitive information that was being stored on the FTP [file transfer protocol] server for backup purposes.”
He was able to get network configurations for 629 significant hotels in 40 countries, as well as millions of customers' personal information, such as room numbers, emails, and check-in and check-out dates.
Information from major hotel chains in Qatar,, Turkey, the United Arab Emirates (UAE), Saudi Arabia, Lebanon, Egypt, Bahrain, Oman, Jordan, Kuwait, and Bahrain, as well as the Kempinski, Millennium, Sheraton, and St Regis in Qatar, Turkey, the United Arab Emirates (UAE), Saudi Arabia, Lebanon, Egypt, Bahrain, Oman, Jordan, Kuwait, and Bahrain was included in the research.
The hotels all use AirAngel's HSMX Gateway internet technology, which is a British company. Some of the world's most well-known hotel chains are among its clients.
Most hotels, stores, restaurants, and cafés need guests to set up an account and fill out their personal information before they may use the internet. It does, however, have some disadvantages.
Mohsin added, “A public WiFi network is inherently less secure than the one you use at home. It gives hackers access to critical information like banking credentials and account passwords by allowing them to monitor and intercept data transferred across the network.”
Seven years ago, researchers discovered a flaw in hotel routers that affected 277 devices in hotels and convention centres in the US, Singapore, the United Kingdom, the United Arab Emirates, and 25 other countries.