A security researcher says an internet gateway used by hundreds of hotels to offer and manage their guest Wi-Fi networks has vulnerabilities that could put the personal information of their guests at risk.
Etizaz Mohsin told TechCrunch that the Airangel HSMX Gateway contains hardcoded passwords that are “extremely easy to guess.” With those passwords, which we are not publishing, an attacker could remotely gain access to the gateway’s settings and databases, which store records about the guest’s using the Wi-Fi. With that access, an attacker could access and exfiltrate guest records, or reconfigure the gateway’s networking settings to unwittingly redirect guests to malicious webpages, he said.
Back in 2018, Mohsin discovered one of these gateways on the network of a hotel where he was staying. He found that the gateway was synchronizing files from another server across the internet, which Mohsin said contained hundreds of gateway backup files from some of the most prestigious and expensive hotels in the world. The server also stored “millions” of guest names, email addresses and arrival and departure dates, he said.
Mohsin reported the bug and the server was secured, but that sparked a thought: Could this one gateway have other vulnerabilities that could put hundreds of other hotels at risk?
In the end, the security researcher found five vulnerabilities that he said could compromise the gateway — including guests’ information. One screenshot he shared with TechCrunch showed the administration interface of one hotel’s vulnerable gateway revealing the guest’s name, room number and email address.
Mohsin reported the newly discovered cache of flaws to Airangel, but months passed and the U.K.-based networking gear maker still has not fixed the bugs. A representative told Mohsin that the company hasn’t sold the device since 2018 and was no longer supported.
But Mohsin said the device is still widely used by hotels, malls and convention centers around the world. Internet scans show more than 600 gateways are accessible from the internet alone, though the true number of vulnerable devices is likely to be higher. Most of the affected hotels are in the U.K., Germany, Russia and across the Middle East, he said.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
“Given the level of access that this chain of vulnerabilities offers to attackers, there is seemingly no limit to what they could do,” Mohsin told TechCrunch.
Mohsin presented his findings at the @Hack conference in Saudi Arabia last month. Airangel did not respond to a request for comment.
Read more:
