London Daily

Focus on the big picture.
Tuesday, Oct 07, 2025

Hotel WiFi across MENA compromised and exposing private data

Hotel WiFi across MENA compromised and exposing private data

Cybersecurity researcher uncovers faulty system used by hotels in the Middle East surrendering personal information on millions of guests worldwide.

Pakistani cybersecurity researcher Etizaz Mohsin was in a hotel room in Qatar when he unexpectedly discovered a technical vulnerability in its internet system that exposed the private information of hundreds of hotels and millions of guests worldwide.

Mohsin told Al Jazeera he was “stunned” by what he uncovered late last year.

“I found out that there is a service running rsync [file synchronization tool], which allows me to dump the files of the device to my own computer,” Mohsin explained. “I was able to access the sensitive information of all other hotels which were using the FTP [file transfer protocol] server for backup purposes.”

From his hotel room he was able to obtain network configurations of 629 major hotels across 40 countries, and the personal information of millions of guests, including their room numbers, emails, and dates they checked in and out of the hotel.

The data included that of major hotel chains across the Middle East and North Africa region, including the Kempinski, the Millennium, Sheraton, and St Regis in Qatar, Turkey, the United Arab Emirates (UAE), Saudi Arabia, Lebanon, Egypt, Bahrain, Oman, Jordan, Kuwait and Bahrain.

The hotels all use an internet system called HSMX Gateway by British company AirAngel. Its clients are among the largest hotel brands worldwide.

This is common practice; most hotels, malls, restaurants, and cafés require people to create an account and fill their information after connecting to the internet in order to start using it. However, it is not without its risks.

“A public WiFi network is fundamentally less secure than one you use at home,” Mohsin explained. “It allows hackers to monitor and intercept data sent across the link, giving them access to sensitive information such as banking credentials and account passwords.”

The HSMX Gateway incident is similar to a vulnerability in hotel routers researchers discovered seven years ago, which affected 277 devices in hotels and convention centres in the United States, Singapore, the United Kingdom, the UAE, and 25 other countries.


‘Stakes are high’


Cybersecurity consultant Ragheb Ghandour told Al Jazeera the ease of access to this data, especially with how centralized it is among hundreds of hotels, is a huge cause for concern.

“Let’s say a spy checks into one of these listed hotels, skims through the files and finds a point of intrusion. They could modify – or mirror – the landing page for the WiFi connection and all the clients of the hotel would send their information straight to them,” Ghandour said. “The stakes are high. You could wreak havoc through the hotel.”

It is not just guests’ personal information that is at risk. Mohsin said a hacker could use the vulnerability to access the guests’ computer and mobile devices, as well as the hotel’s security footage, ventilation systems, and electronic door locks.

In fact, assassins used a vulnerability in a luxury hotel’s internet to unlock an electronic door and carry out a targeted killing in Dubai 12 years ago.

In 2010, a hit squad, reportedly members the Israeli Mossad intelligence agency, assassinated senior Hamas official Mahmoud al-Mabhouh at a luxury hotel in the Emirati city after hacking the key system to enter al-Mabhouh’s room.

AirAngel said in a statement it stopped updating its software in November 2020, and the firm encouraged clients to replace it with a new service called Captivnet. The issue with the previous service remains unfixed, however.

AirAngel added only a small number of clients have not migrated to Captivnet and still use HSMX Gateway. But more than half of the hotels Mohsin discovered compromised continue to use the service.

Of the 629 hotels Mohsin found with faulty internet protection, 378 have not switched to AirAngel’s new service, including more than 100 in the UAE, Saudi Arabia, Qatar, Lebanon, Egypt, and other countries across the MENA region, he said.

Mohsin said he hopes his findings will encourage more people to improve their digital security.

“Always a use a VPN to encrypt all your data as it travels via the network via secure tunnel,” he explained. “Alternatively, you might use mobile data [instead of WiFi] to avoid the dangers in the first place.”


Comments

Oh ya 4 year ago
And people believe that their crypto is also safe from the bad people and the government. Just ask the people in Canada that donated to the truckers and had their bank account stolen. Play stupid games win stupid prizes

Newsletter

Related Articles

0:00
0:00
Close
France: Less Than a Month After His Appointment, the New French Prime Minister Resigns
Hungarian Prime Minister Viktor Orbán stated that Hungary will not adopt the euro because the European Union is falling apart.
Sarah Mullally Becomes First Woman Appointed Archbishop of Canterbury
Mayor in western Germany in intensive care after stabbing
Australian government pays Deloitte nearly half a million dollars for a report built on fabricated quotes, fake citations, and AI-generated nonsense.
US Prosecutors Gained Legal Approval to Hack Telegram Servers
Macron Faces Intensifying Pressure to Resign or Trigger New Elections Amid France’s Political Turmoil
Standard Chartered Names Roberto Hoornweg as Sole Head of Corporate & Investment Banking
UK Asylum Housing Firm Faces Backlash Over £187 Million Profits and Poor Living Conditions
UK Police Crack Major Gang in Smuggling of up to 40,000 Stolen Phones to China
BYD’s UK Sales Soar Nearly Nine-Fold, Making Britain Its Biggest Market Outside China
Trump Proposes Farm Bailout from Tariff Revenues Amid Backlash from Other Industries
FIFA Accuses Malaysia of Forging Citizenship Documents, Suspends Seven Footballers
Latvia to Bar Tourist and Occasional Buses to Russia and Belarus Until 2026
A Dollar Coin Featuring Trump’s Portrait Expected to Be Issued Next Year
Australia Orders X to Block Murder Videos, Citing Online Safety and Public Exposure
Three Scientists Awarded Nobel Prize in Medicine for Discovery of Immune Self-Tolerance Mechanism
OpenAI and AMD Forge Landmark AI-Chip Alliance with Equity Option
Munich Airport Reopens After Second Drone Shutdown
France Names New Government Amid Political Crisis
Trump Stands Firm in Shutdown Showdown and Declares War on Drug Cartels — Turning Crisis into Opportunity
Surge of U.S. Billionaires Transforms London’s Peninsula Apartments into Ultra-Luxury Stronghold
Pro Europe and Anti-War Babiš Poised to Return to Power After Czech Parliamentary Vote
Jeff Bezos Calls AI Surge a ‘Good’ Bubble, Urges Focus on Lasting Innovation
Japan’s Ruling Party Chooses Sanae Takaichi, Clearing Path to First Female Prime Minister
Sean ‘Diddy’ Combs Sentenced to Fifty Months in Prison Following Prostitution Conviction
Taylor Swift’s ‘Showgirl’ Launch Extends Billion-Dollar Empire
Trump Administration Launches “TrumpRx” Plan to Enable Direct Drug Sales at Deep Discounts
Trump Announces Intention to Impose 100 Percent Tariff on Foreign-Made Films
Altman Says GPT-5 Already Outpaces Him, Warns AI Could Automate 40% of Work
Singapore and Hong Kong Vie to Dominate Asia’s Rising Gold Trade
Trump Organization Teams with Saudi Developer on $1 Billion Trump Plaza in Jeddah
Manhattan Sees Surge in Office-to-Housing Conversions, Highest Since 2008
Switzerland and U.S. Issue Joint Assurance Against Currency Manipulation
Electronic Arts to Be Taken Private in Historic $55 Billion Buyout
Thomas Jacob Sanford Named as Suspect in Deadly Michigan Church Shooting and Arson
Russian Research Vessel 'Yantar' Tracked Mapping Europe’s Subsea Cables, Raising Security Alarms
New York Man Arrested After On-Air Confession to 2017 Parents’ Murders
U.S. Defense Chief Orders Sudden Summit of Hundreds of Generals and Admirals
Global Cruise Industry Posts Dramatic Comeback with 34.6 Million Passengers in 2024
Trump Claims FBI Planted 274 Agents at Capitol Riot, Citing Unverified Reports
India: Internet Suspended in Bareilly Amid Communal Clashes Between Muslims and Hindus
Supreme Court Extends Freeze on Nearly $5 Billion in U.S. Foreign Aid at Trump’s Request
Archaeologists Recover Statues and Temples from 2,000-Year-Old Sunken City off Alexandria
China Deploys 2,000 Workers to Spain to Build Major EV Battery Factory, Raising European Dependence
Speed Takes Over: How Drive-Through Coffee Chains Are Rewriting U.S. Coffee Culture
U.S. Demands Brussels Scrutinize Digital Rules to Prevent Bias Against American Tech
Ringo Starr Champions Enduring Beatles Legacy While Debuting Las Vegas Art Show
Private Equity’s Fundraising Surge Triggers Concern of European Market Shake-Out
Colombian President Petro Vows to Mobilize Volunteers for Gaza and Joins List of Fighters
×