 |
|
|
|
|
|
|
|
|
|
|
|
|
|
 |
 |
|
|||||||||||
 |
 |
 |
 |
|
|||||||||
 |
 |
|
|||||||||||
|
 |
 |
|
 |
|
||||||||
 |
 |
 |
|
 |
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
 |
|
||||||||||||
 |
 |
 |
|
 |
|
||||||||
Case Study In-room Hotel Internet Access Industry: Hotels Location: UK For the modern business traveller the feature of high speed in-room Internet access can be the deciding factor when choosing where to stay while on a business trip. Most modern hotels catering for the business traveller now offer high speed in-room Internet access. Esqo was invited to investigate one such in-room Internet access system to enumerate security risks both to the user and the hotel. A vulnerability assessment engagement scenario was selected in order to return most value from the engagement. The In-room Internet access system was used as a normal guest would use it and then examined using low level IP tools. As a web application was used to perform payment operations this was examined as a part of the engagement. Application level security issues in the payment application made it possible to bypass the payment function entirely and effectively steal Internet access. After examining the architecture of the system it was found possible to sniff traffic from other hotel guests who were using the in-room Internet access system and also to probe their machines using the hotel network. Two main risks to business were discovered. Firstly financial risks arising from hotel guests stealing in-room Internet access. The second risk is legal, if hotel guests' computers are compromised or infected by virus while connected to the hotel network the hotel may be held responsible. Data transmitted to or from hotel guests computers can also be sniffed from the network by other guests. Data which was seen during the engagement included E-Mail and web traffic. |
