• United States



Using a smartphone as a hotel room key: What could possibly go wrong?

Jul 29, 20145 mins
Data and Information SecurityMicrosoftSecurity

If you stay at one of 11 brands of hotels in Hilton's portfolio, you can choose your room online now; by 2015 you can bypass the front desk and use a smartphone to unlock the door to your hotel room.

If you have an Apple or Android smartphone and stay at one of 11 brands of hotels in Hilton’s portfolio, then your smartphone will soon double as your hotel room key. Imagine using a smartphone as room key for more than 650,000 hotel rooms, at over 4,000 hotels in 80 different countries…what could possibly go wrong?

Hilton Worldwide has upgraded its technology to the tune of $550 million and announced that by the end of 2014 guests will be able to use their phone to select their exact room from digital floor plans “for over 650,000 rooms at more than 4,000 hotels across Hilton’s portfolio of 11 brands.” Guests can also “customize their stay by purchasing upgrades and making special requests for items to be delivered to their room, on their mobile devices, tablets and computers.”

The ability to bypass the front desk and use a smartphone as a room key will roll out in 2015; “all U.S. hotels across four of its brands will have this capability by the end of that year. By the end of 2016, the majority of its rooms system-wide will be equipped with this functionality.”

Is it secure or will this feature become the next hotel hacking case? Would it stand up to the likes of Jesus Molina, who will present Learn How to Control Every Room at a Luxury Hotel Remotely at Black Hat? Molina exploited vulnerabilities in the KNX communications protocol that St. Regis ShenZhen hotel in China used so guests can control the features in their room with the supplied iPad and digital butler application.

“Using protocols like KNX for home automation makes no sense for wireless,” Molina told Wired. “This guerrilla war we’re playing with the Internet of Things can get dangerous. This is not something I say lightly.” He claimed that an arbitrary attacker could control virtually every appliance in the hotel remotely. “The KNX/IP protocol provides no security, so any hotel or public space that have deployed it on an insecure network will make it easy to exploit.”

A spokesman for the KNX Association said “the most recent version of the standard did feature authentication and encryption and that it was ‘essential that separate Wi-Fi networks are used’ for the purposes of guest internet access and automation.”

St. Regis Shenzhen said Molina’s claim that he took control of the automation system was “unsubstantiated,” but it had “temporarily suspended the control system of the in-room iPad remote controls for system upgrading.” Since this allegedly includes taking down the whole system and rewiring everything for every hotel room, the ability to exploit the fatal flaws hardly seem “unsubstantiated.”

The Starwood chain, which owns St. Regis, as well as the Marriott and InterContinental Hotel groups, are in a mobile services race along with Hilton. The Wall Street Journal reported that Starwood is already testing mobile phone room keys; Marriott allows guest to use mobile check-in and check-out, and InterContinental sends out push notifications to guests, such as two-for-one drink specials at the bar.

Hilton launched Conrad Concierge in 2012, allowing guests to use the hospitality software app to check-in through their mobile device. “Going forward, Hilton anticipates delivering further digital advancements to guests every six to eight weeks.”

Regarding room selection, Hilton said that by the end of summer, Hilton HHonors members can check-in and choose their room “via the Apple and Android HHonors apps across the following U.S. brands: Waldorf Astoria Hotels & Resorts, Conrad Hotels & Resorts, Hilton Hotels & Resorts, Hilton Garden Inn, Homewood Suites and Home2 Suites.”

At 6 a.m. the day before a booked stay, Hilton HHonors members can sign into their account via their mobile device, tablet or computer to check-in and choose their preferred room through floor plan maps or lists populated from the hotel’s available inventory. Photos of rooms are also available to help with their selection. Hilton’s digital lobby function is updated in real-time, so guests no longer have to wait until they are physically in the hotel lobby to be assigned a room.

Next year, Hilton guests can skip the lines at the front desk and use their smartphones to unlock the doors to their rooms. If Hilton currently uses NFC for the door locks, with an NFC tag embedded in the keycards that can unlock the door, then it might be reasonable to assume the hotel’s app would tap into NFC-enabled phone capabilities. It remains to be seen if some curious hacker will find a way to exploit potential flaws in these new features.

It was two years ago when we learned 4 million hotel rooms were insecure due to Onity programmable keycard locks. With under $50 in off-the-shelf hardware, Cody Brocious opened a Onity lock in only 200 milliseconds. Inspired by Brocious, hackers then cut costs to about $30 and created a pen-sized device that looked like a dry erase marker. When the “James Bond” pen was pushed into a DC port on the underside of a hotel keycard lock, it instantly popped the lock open.

Time and technology marched on, creating new ways to hack hotel features, as will be highlighted by Molina next week at Black Hat. Let’s hope that Hilton’s implementation will be secure or hacking it to open other guests’ doors might end up as a presentation in Black Hat 2015.

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.