Hotel guestroom door locks and keycard systems that are connected to the internet pose security risks, technology experts say, but there’s also some widespread misconception about the nature of those risks.
REPORT FROM THE U.S.—The physical and digital security of hotel guestroom door locks has been a hot topic in the news lately, with the sometimes-sensationalized story of a hacker who extracted a ransom for a hotel’s keycard system.
For some clarity on the issue, Hotel News Now reached out to tech experts who explained what can and can’t happen with electronic door locks, what is vulnerable and how hoteliers can protect their properties and their guests from hackers.
Guestroom door locks were traditionally treated as a piece of equipment maintained by a maintenance/building facilities engineer, said Armand Rabinowitz, senior director of strategy and workgroups at Hotel Technology Next Generation. This employee didn’t tend to be well-versed in technology unless they happened to be so for another reason, he said.
“That has changed as the position has become increasingly more technical,” he said. “Ten years ago, electronic locks didn’t need to be, nor were (they) connected to the internet.”
Locks were connected to an encoder or local serial connection, he said, which is a basic protocol that doesn’t travel across internet-connected devices. The physical protocol became outdated as hotels moved to IP-based connections, he said, which requires hoteliers to be careful in how they implement the system.
Everything at Greenwood Hospitality’s properties is on a guarded back-office, closed network, said Paul Wood, VP of revenue generation. The network is scanned for malware and viruses, he said. Locks are sequenced with encoders, he said, and this is a safe process as long as hotels have the system set up correctly.
The code connects the guest key with the lock, he said. Once it hits checkout time, the sequence says it’s time, and the keycard access shuts off.
“From a safety factor/feature perspective, it’s been this way more than 20 years,” he said. “The industry has it down pat.”
Systems today have a long history in the industry, Rabinowitz said, and they’re widely adopted in the world. In most cases, the communication protocols between online door locks are so limited that to transmit a code that would constitute a virus is challenging, if not impossible, he said.
“There would have to be a physical compromise to the point of replacing parts, rendering it unusual by the existing system,” he said.
Training and policies
Hotel managers should treat a door lock system like any other valuable IT asset, Rabinowitz said. That means ensuring all implementation security standards have been put in place for both physical and remote access, he said. There also should be an update process to ensure the system is running on the latest software, he said, and antivirus and security software must be installed on all machines that touch or run any of the lock system-based software.
Any vendor software older than 10 years, he said, should be considered for upgrade or replacement. Third-party integrations, such as online systems that connect to in-room devices like the thermostat, should be carefully assessed, he said.
“If you’re treating it like an IT asset, so many things come into scope,” he said. “You’re mitigating a lot of the challenges. “
For the security of electronic locks, Wood had some non-technical advice as well: If a guest asks for another key, ask for his or her ID. Walk with the guest into the guestroom if he or she doesn’t have an ID. Housekeepers should not let guests into a room if they are locked out and refer them to the front desk or manager, he said.
“It might seem an inconvenience to the guest because they’re in a rush, but it is for their safety,” he said.
Train employees on safety protocols and the proper use of the system, Wood said, so they know what the identification process looks like. They need to know who should have access to the back office component of the key system, he said, and that’s only people on a higher administrative level.
“There are even different access levels for different keys,” he said. “Emergency keys are keys only administration and directors of security can have.”
It’s important to keep track of who has what key when, he said. There’s no reason to give housekeepers keys to everything in the hotel if they only work on a couple of floors, he said.
“Only give keys to what they should have access to,” Wood said.
On a quarterly basis, all zone keys should be wiped out, he said, and everything rezoned. It’s important to reconfigure on a yearly basis at minimum, he said.
Hilton is one of the hotel brands moving forward with allowing guests to unlock their guestrooms through a smartphone app. When developing its mobile app, Hilton put it through comprehensive testing and enlisted security experts to vet it, said Joshua Sloser, VP of digital product and innovation for Hilton.
Each digital key is tied to a specific guest account on the reservation, he said, and the guest specifies one phone prior to his or her arrival. The digital key can’t be shared or placed on another device.
“Every time a digital key is requested under an account, Hilton sends a confirmation email to the email address in the guest’s Hilton Honors profile confirming that he or she requested a digital key,” he said.
To further secure the app, only guests with a prior-stay history can skip the front desk when they arrive, Sloser said, and those without must go to the front desk to share their ID and credit card to receive the digital key. Guests have the ability to hide their room number after they unlock their door the first time, he said.
“Should the guest’s phone be lost or stolen, the room number associated with that digital key will be concealed,” he said.
Guests shouldn’t worry about any malware entering their phone when unlocking a door through a mobile app, Rabinowitz said.
“To get something malicious from lock to phone, it’s really almost impossible,” he said. “To get something to a phone, if there’s any change, I would think that would be the greater vulnerability. Most phones have quite a bit of security built in so they’re not communicating private information.”