Researchers have discovered a vulnerability impacting a leading manufacturer of managed kiosks found in hotels, businesses, retail and other industries that could allow a malicious actor access to the cloud database, according to Trustwave.
Uniguest outsources secure, fully managed customer-facing technology solutions, but researchers reported that “based on the way their infrastructure is set up, it appears Uniguest actually manages the machines and not the hotel or whatever other business employs Uniguest software.”
Uniguest’s cloud database contains kiosk credentials, including admin, router, BIOS passwords and product keys for all of its customers. Armed with this information, an attacker could implant keyloggers and remote-access trojans to capture kiosk visitor activity such as printing boarding passes, hotel check-ins and online banking, according to the research.
Using a Google search, researchers discovered the publicly exposed website that contained the necessary tools a technician would use to deploy or manage a kiosk location.
“There was no authentication required, and among the pre-packaged kiosk software and manuals, SystemSleuth stood out. SystemSleuth is written in C# and is therefore trivially decompiled back to source code using something like dnSpy,” the researchers wrote.
The SystemSleuth application deployed to Uniguest’s legacy kiosks reportedly is used to collect information such as product keys, asset tags, passwords and various other data. “The data is sent up to a Salesforce API and of course, with the C# decompiler, it didn't take long to find the API credentials, hardcoded within the application,” the report said.
If an adversary were able to discover this information, the attacker could “deploy keyloggers, remote access trojans and various other forms of malware, attacking hotel guests or business patrons just passing through, the report said.”
Researchers contacted Uniguest and the company has placed the site behind an authentication portal, yet the researchers point out that “SystemSleuth and the API credentials (albeit disabled) may still be found on their managed systems, until Uniguest can go and reimage them all.”