Hardcoded Credentials in Kiosk Software Allowed Remote Attackers to Compromise API
Uniguest provides kiosks to the hospitality, senior living, specialty retail, education and corporate sectors. The kiosks typically run a locked down version of Windows, and are managed by Uniguest rather than, for example, the hotel customers. With so many kiosks in so many different locations, that management inevitably involves the cloud — and when the cloud is involved there are often security lapses.
Founded in 1986, the company claims to have managed service contracts for 32,000 kiosks across 15,000 client locations.
Starting with nothing more than a Google search, researchers from Trustwave SpiderLabs found a Uniguest website (ucrew.uniguest.com) that had been publicly exposed on the internet. This website appeared to contain all the tools that technicians would need to deploy or manage a kiosk on location. From this simple observation, the researchers were able to develop a train that would ultimately enable them, in their own words, to “dump all the data in the Uniguest cloud database, which includes admin, router and BIOS passwords, product keys and various other sensitive information, for what looked like all of Uniguest’s customers.”