London Daily

Focus on the big picture.
Tuesday, Jul 22, 2025

Hotel WiFi across MENA compromised and exposing private data

Hotel WiFi across MENA compromised and exposing private data

Cybersecurity researcher uncovers faulty system used by hotels in the Middle East surrendering personal information on millions of guests worldwide.

Pakistani cybersecurity researcher Etizaz Mohsin was in a hotel room in Qatar when he unexpectedly discovered a technical vulnerability in its internet system that exposed the private information of hundreds of hotels and millions of guests worldwide.

Mohsin told Al Jazeera he was “stunned” by what he uncovered late last year.

“I found out that there is a service running rsync [file synchronization tool], which allows me to dump the files of the device to my own computer,” Mohsin explained. “I was able to access the sensitive information of all other hotels which were using the FTP [file transfer protocol] server for backup purposes.”

From his hotel room he was able to obtain network configurations of 629 major hotels across 40 countries, and the personal information of millions of guests, including their room numbers, emails, and dates they checked in and out of the hotel.

The data included that of major hotel chains across the Middle East and North Africa region, including the Kempinski, the Millennium, Sheraton, and St Regis in Qatar, Turkey, the United Arab Emirates (UAE), Saudi Arabia, Lebanon, Egypt, Bahrain, Oman, Jordan, Kuwait and Bahrain.

The hotels all use an internet system called HSMX Gateway by British company AirAngel. Its clients are among the largest hotel brands worldwide.

This is common practice; most hotels, malls, restaurants, and cafés require people to create an account and fill their information after connecting to the internet in order to start using it. However, it is not without its risks.

“A public WiFi network is fundamentally less secure than one you use at home,” Mohsin explained. “It allows hackers to monitor and intercept data sent across the link, giving them access to sensitive information such as banking credentials and account passwords.”

The HSMX Gateway incident is similar to a vulnerability in hotel routers researchers discovered seven years ago, which affected 277 devices in hotels and convention centres in the United States, Singapore, the United Kingdom, the UAE, and 25 other countries.


‘Stakes are high’


Cybersecurity consultant Ragheb Ghandour told Al Jazeera the ease of access to this data, especially with how centralized it is among hundreds of hotels, is a huge cause for concern.

“Let’s say a spy checks into one of these listed hotels, skims through the files and finds a point of intrusion. They could modify – or mirror – the landing page for the WiFi connection and all the clients of the hotel would send their information straight to them,” Ghandour said. “The stakes are high. You could wreak havoc through the hotel.”

It is not just guests’ personal information that is at risk. Mohsin said a hacker could use the vulnerability to access the guests’ computer and mobile devices, as well as the hotel’s security footage, ventilation systems, and electronic door locks.

In fact, assassins used a vulnerability in a luxury hotel’s internet to unlock an electronic door and carry out a targeted killing in Dubai 12 years ago.

In 2010, a hit squad, reportedly members the Israeli Mossad intelligence agency, assassinated senior Hamas official Mahmoud al-Mabhouh at a luxury hotel in the Emirati city after hacking the key system to enter al-Mabhouh’s room.

AirAngel said in a statement it stopped updating its software in November 2020, and the firm encouraged clients to replace it with a new service called Captivnet. The issue with the previous service remains unfixed, however.

AirAngel added only a small number of clients have not migrated to Captivnet and still use HSMX Gateway. But more than half of the hotels Mohsin discovered compromised continue to use the service.

Of the 629 hotels Mohsin found with faulty internet protection, 378 have not switched to AirAngel’s new service, including more than 100 in the UAE, Saudi Arabia, Qatar, Lebanon, Egypt, and other countries across the MENA region, he said.

Mohsin said he hopes his findings will encourage more people to improve their digital security.

“Always a use a VPN to encrypt all your data as it travels via the network via secure tunnel,” he explained. “Alternatively, you might use mobile data [instead of WiFi] to avoid the dangers in the first place.”


Comments

Oh ya 3 year ago
And people believe that their crypto is also safe from the bad people and the government. Just ask the people in Canada that donated to the truckers and had their bank account stolen. Play stupid games win stupid prizes

Newsletter

Related Articles

0:00
0:00
Close
US Treasury Secretary Calls for Institutional Review of Federal Reserve Amid AI‑Driven Growth Expectations
UK Government Considers Dropping Demand for Apple Encryption Backdoor
Severe Flooding in South Korea Claims Lives Amid Ongoing Rescue Operations
Japanese Man Discovers Family Connection Through DNA Testing After Decades of Separation
Russia Signals Openness to Ukraine Peace Talks Amid Escalating Drone Warfare
Switzerland Implements Ban on Mammography Screening
Japanese Prime Minister Vows to Stay After Coalition Loses Upper House Majority
Pogacar Extends Dominance with Stage Fifteen Triumph at Tour de France
CEO Resigns Amid Controversy Over Relationship with HR Executive
Man Dies After Being Pulled Into MRI Machine Due to Metal Chain in New York Clinic
NVIDIA Achieves $4 Trillion Valuation Amid AI Demand
US Revokes Visas of Brazilian Corrupted Judges Amid Fake Bolsonaro Investigation
U.S. Congress Approves Rescissions Act Cutting Federal Funding for NPR and PBS
North Korea Restricts Foreign Tourist Access to New Seaside Resort
Brazil's Supreme Court Imposes Radical Restrictions on Former President Bolsonaro
Centrist Criticism of von der Leyen Resurfaces as she Survives EU Confidence Vote
Judge Criticizes DOJ Over Secrecy in Dropping Charges Against Gang Leader
Apple Closes $16.5 Billion Tax Dispute With Ireland
Von der Leyen Faces Setback Over €2 Trillion EU Budget Proposal
UK and Germany Collaborate on Global Military Equipment Sales
Trump Plans Over 10% Tariffs on African and Caribbean Nations
Flying Taxi CEO Reclaims Billionaire Status After Stock Surge
Epstein Files Deepen Republican Party Divide
Zuckerberg Faces $8 Billion Privacy Lawsuit From Meta Shareholders
FIFA Pressured to Rethink World Cup Calendar Due to Climate Change
SpaceX Nears $400 Billion Valuation With New Share Sale
Microsoft, US Lab to Use AI for Faster Nuclear Plant Licensing
Trump Walks Back Talk of Firing Fed Chair Jerome Powell
Zelensky Reshuffles Cabinet to Win Support at Home and in Washington
"Can You Hit Moscow?" Trump Asked Zelensky To Make Putin "Feel The Pain"
Irish Tech Worker Detained 100 days by US Authorities for Overstaying Visa
Dimon Warns on Fed Independence as Trump Administration Eyes Powell’s Succession
Church of England Removes 1991 Sexuality Guidelines from Clergy Selection
Superman Franchise Achieves Success with Latest Release
Hungary's Viktor Orban Rejects Agreements on Illegal Migration
Jeff Bezos Considers Purchasing Condé Nast as a Wedding Gift
Ghislaine Maxwell Says She’s Ready to Testify Before Congress on Epstein’s Criminal Empire
Bal des Pompiers: A Celebration of Community and Firefighter Culture in France
FBI Chief Kash Patel Denies Resignation Speculations Amid Epstein List Controversy
Air India Pilot’s Mental Health Records Under Scrutiny
Google Secures Windsurf AI Coding Team in $2.4 Billion Licence Deal
Jamie Dimon Warns Europe Is Losing Global Competitiveness and Flags Market Complacency
South African Police Minister Suspended Amid Organised Crime Allegations
Nvidia CEO Claims Chinese Military Reluctance to Use US AI Technology
Hong Kong Advances Digital Asset Strategy to Address Economic Challenges
Australia Rules Out Pre‑commitment of Troops, Reinforces Defence Posture Amid US‑China Tensions
Martha Wells Says Humanity Still Far from True Artificial Intelligence
Nvidia Becomes World’s First Four‑Trillion‑Dollar Company Amid AI Boom
U.S. Resumes Deportations to Third Countries After Supreme Court Ruling
Excavation Begins at Site of Mass Grave for Children at Former Irish Institution
×