Ibis Budget hotels in Germany were found to leak hotel room key codes through self-service check-in terminals, and a researcher behind the discovery claims the problem could potentially affect hotels around the world. It would be very easy for anyone to abuse the terminal's security flaw without any technical knowledge or specialized tools, as it is a security flaw that can be exploited by anyone. 

In actuality, an attacker can aggregate a whole lot of room keycodes in just a few minutes as long as a regular customer uses the same machine to check into their room, as long as the attacker is persistent. In addition to speaking with staff at the front desk, hotel guests can also take advantage of self-service check-in terminals. Front desk staff can be unavailable at times for guests to interact with them. 

These terminals offer guests the ability to not only check into their rooms, but they can also search for information about existing bookings as well, which is what Ibis Budget is all about. Based on the company's website, 600 Ibis Budget hotels are operating in 20 different countries around the world. This is an Ibis Budget hotel chain owned by Accor. 

They believe the vulnerability likely affected other hotels as well, as they discovered in late 2023 a security flaw in the self-check-in terminal that was installed at an Ibis Budget hotel in Germany.  Ibis Budget hotel customers can use these kiosks to check in their rooms when there is no staff at the hotel. 

When Accor was notified, Pentagrid was informed that the company had issued patches to the affected devices within a month. Upon entering the booking ID, the terminal displays the associated room number as well as the keypad code that can be used to access the room when the customer is not present. 

The customer then has to enter the keypad code to access the room.    It was discovered by Pentagrid that a list of current bookings could be displayed on the terminal if he entered a series of dashes instead of the booking ID. Pentagrid believes that tapping on a booking will display the room number as well as the keypad access code of the hotel, which remains unchanged during the guest's stay at the hotel, according to Pentagrid. 

There was a chance that an attacker would have been able to gain access to rooms using the exposed access codes. Upon entering the dashes, the booking information displayed the amount of the booking, the room number and the valid room entry code, along with the cost of the booking. The researchers also found a timestamp in the data, which the researchers assumed was the check-in date, which could indicate the length of the guest's stay.

Schobert discovered the issue unintentionally after attending a cybersecurity convention in Hamburg, where he was using a terminal at the Altona Ibis Budget Hotel. The bug is not clear as to whether or not 87 bookings were valid at the time of the audit, as there are 180 rooms at the hotel. It is unclear if it was only 87 bookings that were valid at that time or if the bug was limited to returning less than the entire number of bookings. 

Schobert said the booking references could still be found on discarded printouts even without the exploit by using a series of dashes, which necessitated that greater security controls be placed on the terminals to prevent this. If this issue falls into the wrong hands, the consequences could be quite serious.

Understandably, retrieving keycodes could lead to theft, but being able to target rooms by price may allow an attacker to target the wealthiest guests for the best possible rewards as they may be able to target rooms by price. Aside from theft, there is also the danger of stalking and other creeps abusing guests, which may put their safety at risk. As a result, researchers note that an attacker would have needed to be physically close to the targeted terminal to exploit the vulnerability, as the affected device would have had to be set up to allow self-service, which would be most likely during the nighttime, researchers stated.