Hacked room-door locks: What’s in store?

Risk management experts share their insights on how hoteliers can keep their rooms secure.

 

Following a robbery at a Houston hotel in which thieves exploited security flaws in Onity locks first revealed at the Black Hat conference in July, Hotel Management spoke with Todd Seiders, director of risk management at Petra Risk Solutions and former director of loss prevention at Marriott, for tips on how hoteliers can keep their rooms secure. 

“[Onity] immediately started offering the caps and screens to block the port that causes the vulnerability, but I don’t think that’s a very valuable option, because if you block these terminal ports and you have an emergency in the room and the lock has failed, you have to be able to plug in the portable programmer or you’ll have liability issues,” Seiders said. “The thing to take advantage of now is the motherboard switch out. If you mail it in within a reasonable amount of time they’ll replace it for free. The motherboard fix, that’s what these hotels should be doing.”

While Seiders noted that the recession has meant less money available for full-time security staff and new equipment like cameras, he emphasized the importance of staff training in hotel security. “My advice is to go walk the halls and if you see a person standing in the hallway go and look at him for 60 seconds. He’ll either go to a room, or, if not, approach him and say ‘what’s up,’ find out if you can help him. Customer service is the best security.”

Seiders also pointed out that the newer models are not as vulnerable to hacking. “It’s the older Onity locks that are subject to hacking,” Seiders said. “With the old locks, which were the best at the time, the encryption code that authorizes the lock to open has been installed on all of those individual locks. The hacking device, when it’s plugged into the lock, fools the lock into thinking it’s an authorized programmer. The newer locks don’t have the encryption code in each one; the code is issued at the front desk.”

In a statement from Onity, the company said, “Over the next several weeks, we will ensure all hotel properties in our database receive the mechanical solution. These mechanical caps and security screws block physical access to the lock ports that hackers use to illegally break into hotel rooms. The mechanical solution remains free of charge to customers. Technical solutions vary depending on the age, model and deployment of locks at properties.” 

NFC locks can still benefit guests without smartphones

While it may take some time for widespread adoption of smartphones with near-field communication capability, NFC locks can still benefit guests without smartphones. 

“With the ever-increasing rate of mobile phone use, it is conceivable that, sometime in the future, NFC could become the industry standard,” said George Winker, VP sales North America for VingCard Elsafe. “For the time being, NFC is not for everyone. Many guests will continue to use traditional check-in methods similar to travelers at an airport. The more seasoned traveler will take advantage of the technology and the convenience to improve their travel experience, while the leisure or infrequent traveler will likely still rely on traditional methods. NFC has the ability to improve the experience of both guests because it allows the NFC user to leverage technology to improve their experience, and allows the hotel staff more time to quickly check in guests who prefer traditional methods of interacting with the hotel front desk.”

NFC’s tie to the smartphone also gives it an advantage over competing post-room key technologies. “Biometric technologies have been experimented with in other segments, such as commercial buildings, but have not experienced a significant level of adoption in the hospitality market, since hotel guests are temporary and have no need for a long-term relationship with the lock,” said Winker. “Other suppliers offer various methods of mobile phone access that do not require NFC capability in the phone. However, it is important to note that these methods are dependent on Internet access, which is still a major challenge in many hotels in many areas.” 

Mobile payment to drive near-field communication adoption rates

NFC-compatible door locks can streamline the check-in process by allowing guests to skip the front desk and use their smartphone as a room key, but standardizing the credential delivery between the phone and the lock remains a challenge, said Giovanni Iacovino, VP development of mobile solutions at Kaba Lodging.

“In the beginning everyone thought NFC itself would be the challenge, but we’ve learned that that’s probably the least of the challenge,” Iacovino said. “The credential delivery, the whole roundtrip to get into your phone, securely, is definitely a much bigger challenge than NFC.”

Despite the challenges, NFC locks could benefit from the same forces that are driving the mobile payments industry. “What we’ve adopted, what the industry is adopting, are the same protocols and standards, called the Global Platform standard, that are now in the process of deploying for mobile and credit cards,” Iacovino said. “They use very high-level security and encryption protocols to employ the delivery.”

In addition to the push for mobile payments, the NFC compatibility of existing RFID locks is another point in NFC’s favor. “NFC is an extension of RFID, so that’s an advantage for NFC,” said Iacovino. “The locks we sell today are NFC-compatible out of the box because NFC has the ability to emulate RFID, so locks will work with phones emulating RFID or RFID keycards.

“Because RFID and NFC are not really separate technologies per se, long-term, I think that there will still always be a requirement for an RFID non-mobile solution for a hotel,” Iacovino continued. “It’s like saying, will credit cards ever fully replace cash? There will always be the usefulness of having that card, but can you ever fully replace cash with it? If payment does move toward NFC, and that’s going to be the driving factor, where your credit card is now being replaced by a mobile phone, there will be a strong push toward using mobile handsets. If you’re using your handset for your credit card, you’ll probably be using it for your key card. Will it be 100 percent? Probably not.”