How to prevent a hotel key card hack

When a luxury hotel in Austria found its electronic room keys hacked last year, the hotel—which was using magnetic key cards—was unable to give arriving guests the keys to their rooms.1 These stranded visitors were treated to champagne while they waited for room keys to be available. When hackers emailed the hotel demanding two Bitcoins as ransom, the hotel paid.2

And what happened after the hotel key card hack? The hotel's owner decided to return to old-style door locks and physical keys like the ones his great-grandfather used when he founded the hotel more than 100 years ago.

That's not necessarily the best solution for every property, though. There are other ways to prevent hotel key card hacks and ensure hotel safety without having to resort to outmoded hospitality practices.

 

The risks of hotel key cards

Many hotel room keys these days use a magnetic strip to unlock the room door—but as they learned in Austria, these cards are not always as secure as guests assume and hoteliers hope them to be.

Two employees from the international cybersecurity firm F-Secure discovered a design flaw in the Vision software product used by electronic card keys in more than 40,000 buildings across 166 countries. Not only did these two "hackers" find a way to access rooms, but they also say the security flaw meant that in just minutes they were able to create master keys for an entire building—without leaving any log of the covert activity. This hotel key card hack works on expired key cards and cards that open utility rooms, as well.3

In 2012, a different security researcher found another, different way to hack the keycard locks sold by the company Onity with a homemade device made from $50 worth of readily available hardware parts.4 According to Wired, that security flaw seems to be mostly fixed, although some smaller, family-run hotel franchises may still be using the older, flawed locks.5

According to the BBC, some of the world's biggest hotel chains, including Hyatt, Intercontinental, Radisson and Sheraton, use the affected electronic key locks, which are made by Swedish company Assa Abloy. The company says hotels began deploying a fix in February, but it's not clear if some properties are still using the compromised key cards.6

Ensuring hotel safety

So what can hotel owners do to make sure their guests and their valuables are safe?

Consider whether your hotel's door locks track who goes in and out of rooms, as this can deter theft. Other approaches to increasing guest safety include making sure your closed-circuit television footage is monitored. It's also a good idea to talk with employees about engaging with and watching customers so they can determine if someone doesn't fit the profile of the hotel's typical guest and perhaps shouldn't be on the property.

You should provide in-room safes for guests' valuables, but recognize that security can vary regarding safes as well. Look for options that are fire and burglar-resistant, meet the requirements of a weapons safe and even have a panic code with a silent alarm.

Some hotels fail to change their in-room safes' default codes, which is an essential security measure. If the codes 00000 or 1-2-3-4 open your room safes, they are not secure, and you need to change the default code.7 Finally, make sure a professional installs and secures your hotel's in-room safes.

 

Using smartphones as room keys

More hotel properties are using mobile room keys, allowing guests to electronically access their room, elevators, fitness rooms or parking garages with their smartphones. According to MarketWatch, Hilton uses digital keys at more than 1,000 properties, Marriott and SPG hotels offer them at more than 400 properties, Radisson RED is starting to offer mobile key options, and Intercontinental Hotels and Resorts is currently rolling them out. 8

Are mobile room keys really safer than plastic key cards? Although smartphones can be stolen, guests generally set a phone lock. Also, a separate login is required to use a mobile key app, which can offer some additional protection—and, more importantly, greater peace of mind.

1. "Austrian Hotel Ditching Electronic Room Cards after Being Hacked." Thestar.com. January 31, 2017. Accessed June 13, 2018. https://www.thestar.com/news/world/2017/01/31/austrian-hotel-ditching-electronic-room-cards-after-being-hacked.html
2. "Hackers Use New Tactic at Austrian Hotel: Locking the Doors." The New York Times. December 22, 2017. Accessed June 13, 2018. https://www.nytimes.com/2017/01/30/world/europe/hotel-austria-bitcoin-ransom.html?_r=0
3. Cameron, Dell. "Hackers Designed a 'Master Key' to Unlock Millions of Hotel Room Doors." Gizmodo. April 26, 2018. Accessed June 13, 2018. https://gizmodo.com/hackers-designed-a-new-way-to-secretly-unlock-millions-1825524839
4. Greenberg, Andy. "Hacker Will Expose Potential Security Flaw In Four Million Hotel Room Keycard Locks." Forbes. July 23, 2012. Accessed June 13, 2018. https://www.forbes.com/sites/andygreenberg/2012/07/23/hacker-will-expose-potential-security-flaw-in-more-than-four-million-hotel-room-keycard-locks/#33c0a9e3eb85
5. Greenberg, Andy. "The Hotel Room Hacker." Wired. August 2017. Accessed June 13, 2018. https://www.wired.com/2017/08/the-hotel-hacker/
6. "Hotel Door Locks Worldwide Were Vulnerable to Hack." BBC News. April 25, 2018. Accessed June 13, 2018. https://www.bbc.com/news/technology-43896360
7. Carey, Meredith. "The One Thing You Should Check Before You Use a Hotel Safe." Condé Nast Traveler. October 20, 2016. Accessed June 13, 2018. https://www.cntraveler.com/stories/2016-08-05/the-one-thing-you-should-check-before-you-use-a-hotel-safe
8. Lambarena, Melissa. "Can You Trust a Hotel Mobile Room Key?" MarketWatch. January 18, 2018. Accessed June 13, 2018. https://www.marketwatch.com/story/can-you-trust-a-hotel-mobile-room-key-2018-01-18