The PCI compliance issue taught us that, as an industry, we are better off if we band together and fight the problem as an industry by sharing information, solutions and experiences rather than hoarding the information and trying to solve things individually. It was only when companies starting opening up about their breaches and sharing their experiences on how they secured their networks and data that we started to see a reduction in the number of breaches. We are not out of the woods on the issue, but we are certainly more aware of how to combat the problem than we were before. Perception is everything and a negative perception of the industry will hurt everyone if it is perceived that it’s not safe to travel.

Current Hacking Efforts
In doing research for this article, one of the most disturbing things that I discovered was the level of online efforts underway to help potential criminals manufacture devices to hack hotel electronic door locks. Probably the most offensive post that I found was that of a PEN tester from a well-known data security company that is involved with the industry. The security consultant can be seen posting detailed pictures, wiring diagrams and instructions on how to manufacture the homemade devices that can fit into the standard Sharpie marker case to look like a felt tipped marker. In addition, there are posts from the would-be hackers asking for additional instructions and an actual video so that they can see exactly how this is put together. It even goes so far as to ask if the device can be made even smaller. The posts further elaborate how they are buying used ASTC locks on eBay and from other sources so that they can test their devices and ensure that they work. While we cannot be sure that anyone has actually been successful in making the device or using it, one cannot help but wonder how it is that we have a data security expert with one of the data security companies helping potential criminals learn how to make a device to breach hotel locks. The point is that this is what we are up against and we need to develop security methods to address the problem and move ahead of it.

RFID vs. Magnetic Card Swipe
Most locking companies are moving to RFID solutions as they tend to offer better operational functionality than the more traditional magnetic swipe cards. This is not to say that the mag swipe cards are not good systems, but the biggest complaint is usually associated with guest service where the cards become demagnetized. That said, many people have raised concerns that RFID technology is not secure and that the encryption protocols are static, allowing for the cards or tags to be duplicated as guests come into close proximity with a potential hacker’s cloning device. This was highlighted by one HITEC session last year where speaker Josh Klein detailed a number of creative ways in which he has been able to duplicate RFID access cards. Proponents of RFID are quick to point out that there are various encryption levels of RFID, and as such, hotels are encouraged to deploy systems that take advantage of these higher encryption levels, and depending on the system, include read/write functionality, which usually offers a higher encryption level. Additionally, hotels are advised to review their technologies on a regular basis to ensure that the encryption levels are improved as newer technology becomes available.
Disney recently disclosed that it is even moving to a new RFID-based system MyMagic+ that will drastically change the way that it conducts business and markets its parks.

Near-field Communications (NFC)
The drive to deploy NFC devices is also focusing attention to the security of this technology and how it will be used in the future. NFC is typically dependent on the mobile operator or provider, and given that there are a number of providers worldwide, this could present a challenge to RFID door locking manufacturers to ensure that they are compatible with each solution. In addition, the standards are changing, meaning that existing RFID solutions will probably need to be upgraded to take advantage of the technology in the future.
Training

As the awareness of the locking system breach is coming to the forefront, locking companies are reporting an increase in the amount of additional supplemental system training that is being requested to address both staff and guest-related usage of their systems. Vingcard Elsafe released a statement that said, “We are starting to see more requests for information and in some cases retraining. Our onsite training and overall support mechanisms have always been focused on the proper use of the system, including the security features.”
Onsite System Reviews

Given that many of the locking systems have been installed for extensive periods of time, hotels are starting to require system reviews to ensure that their systems’ firmware and applications are up to date and on the latest revisions. Additionally, some are requesting outside reviews from security companies to ascertain risk as part of an overall system and property security initiative.

Salto Systems indicated that it notifies customers when it has software upgrades to keep the systems at peak performance.

OpenWays
There has been quite a bit of discussion on the potential use of OpenWays’ LOCKFIX to address the ASTC lock security issue. OpenWays specializes in mobile-based access management and security solutions. Its products target the use of mobile devices and audible encrypted sound to allow guests and staff the ability to use their smartphones to access their guestroom door locks. The solution purports a relatively inexpensive method of providing an effective way to secure the existing ASTC HT Series Lock. The OpenWays equipment is attached to the door lock, providing a way for the lock to be controlled wirelessly and allowing staff to communicate with the lock via a mobile device. This in turn means that the external PP communications port can be disconnected and the lock is therefore not susceptible to being breached via this exposed method.

OpenWays has offered to provide free licensing for LOCKFIX to address the ASTC lock problem, which would allow hotels to interrogate the locks. The components which reportedly cost about $55 per lock to install would still need to be accounted for as part of the security upgrade. The company also offers an upgrade pathway to its mobile staff and guest key solutions, which do require the purchase of additional licensing. OpenWays has proposed a security solution for Docomo Intertouch.

Critics of the solution point out that it typically requires effective cellular wireless coverage in the area of the locks to facilitate communication via a mobile device and the installation can be time consuming and fairly costly. Additional concerns point to the fact that the hotel now has two companies involved in the overall support and ongoing upgrades to the locking system.

The Issue of Liability
The approach that many hotels and lock manufacturers have taken appears to be primarily driven by the potential liability and risk. This is understandable given the situation and the potential responsibility that they may have to potential breaches. We reached out to various parties for comments on the situation and received limited responses, which under the circumstance is understandable. However, as previously mentioned there are lessons to be learned as a result of the early credit card breaches and PCI compliance efforts that have been underway these past few years. Initially when the breaches began, most effected hotels and companies were reluctant to share information on the incidents or how they resolved them. Most were concerned about the loss of potential business and that guests would not want to stay at the hotels for fear of having their credit card information and potential personnel data compromised. That changed when the industry got together and started to share information. What was disclosed helped formulate key approaches to addressing the problem and the information was dispersed through industry organizations like HFTP and HTNG, and the net result has been a dramatic reduction of the problem.

The industry is not out of the woods on the data security issue, and given the ongoing nature of the problem, never will be. But the point is that the industry collaborated on the issues and solutions were found, and for the most part, the public seems to be pleased that the data security issue continues to be addressed across the board.

This same kind of collaboration must occur with the locking system issue. The personal safety of the guests are at risk, and for this reason the industry needs to step outside of its comfort zone and really tackle this problem head on before we have a more serious incident. We realize that criminals now have easy access to online information that teaches them how to make inexpensive devices to break into hotel rooms. There needs to be a concerted effort from all parties to collaborate on the issue and come up with effective and affordable solutions to the problem. This effort not only needs to focus on new technology solutions, but there also needs to be a concerted effort to combat the challenges through effective training and education at the property level and throughout the industry. Additionally, this effort needs to focus not only on the hotels, but there also needs to be an effective communication program to reach out to the traveling public to assure the guests that the hotels are safe.

We should never lose sight of the fact that guest safety and security should always be the most important priority for hotels locks problem.