The terminal's security flaw could be abused by anyone, requiring no technical knowledge or specialized tooling. Realistically, an attacker could aggregate an array of room keycodes in just a few minutes – as long as it would take a regular customer to use the same machine to check in to their room.

Self-service check-in terminals can be used by hotel guests as an alternative to speaking with front desk staff, who sometimes aren't available to serve. As well as allowing guests to check into their rooms, these terminals also offer the capability to search for information about existing bookings.

If, for example, a guest forgets their keycode, they can input their booking reference number and the terminal will present details about their booking, including their room code.

Martin Schobert at Swiss security firm Pentagrid discovered that an attacker could input a series of six consecutive dashes (------) in place of a booking reference number and the terminal would return an extensive list of room details.

"Any other sequence of dashes is accepted if it is long enough to enable the submit button," he said. "Therefore, it is assumed that a variable length string is likely not a master code, but a bug or a not deactivated test function."

Once the dashes were entered, the booking information displayed the cost of the booking and the valid room entry keycodes, along with the room number. It also included a timestamp, which the researchers assumed to be a check-in date – one that may indicate the length of a guest's stay.

The issue was discovered accidentally while using a terminal in the Hamburg Altona Ibis Budget hotel after Schobert attended a cybersecurity convention in the city. He was able to retrieve the details of 87 bookings; the hotel offers 180 rooms. It's not clear if the bug was limited to return less than the entire number of bookings, or if only 87 bookings were valid at that time.

Even without the exploit using a series of dashes, Schobert said valid booking references could be found on discarded printouts, necessitating greater security controls embedded in the terminals.

It isn't difficult to imagine the potential consequences of this issue falling into the wrong hands. Being able to retrieve keycodes can lead to thefts, of course, and an attacker being able to target rooms by price could lead them to single out the wealthiest guests for potentially the biggest rewards.

Away from just theft, there also exists the potential for abuse by stalkers and other creeps, jeopardizing the personal safety of guests.

It can all be carried out within seconds too, we're told, and any attacker could do this without arousing suspicion from onlookers since it seems like normal user activity. Schobert published a video showing it happening in real time, to show how simple exploiting the bug was.

While Schobert said he doesn't know for sure if it could be replicated at other sites, he said other hotels around Europe "are likely affected as well."

It should be said, however, there's no evidence to suggest this was actually exploited in the real world.

Accor Security, the security arm of Accor, which owns the Ibis Budget chain, tested the issue and was able to reproduce it so developed and deployed a software fix to all affected terminals in under a month.

The issue was first discovered on December 31, 2023, and was fixed on January 26, Pentagrid's disclosure timeline showed.

Accor was approached by El Reg for additional comment but it didn't immediately respond.

Hotel hell

It hasn't been a great few weeks for hotel security. Two weeks ago we took a look at the vulnerabilities, together dubbed by researchers as "Unsaflok," that saw around 3 million hotel doors vulnerable to unauthorized accesses.

Saflok MT and Saflok RT Plus are the two most commonly deployed models of keycard lock affected by the vulnerabilities, made by Swiss firm dormakaba.

Unlike the issues at Accor, these were trickier to exploit, but also not outside the realms of possibility. An attacker would need a valid or expired hotel keycard, and two blank ones that can be purchased online – one to reset the lock data and another to open it.

It could all be achieved using legal, freely available kit such as a Flipper Zero or an NFC-capable Android phone.

As of two weeks ago, a fix was developed but it is taking a while to deploy worldwide – only 36 percent of locks were fixed at the time of writing.

Connor Jones