Front Desk

Hackers Expose Security Concerns at Hotels

As HITEC keynoter Josh Klein said to an audience of hoteliers last month, “your attack surface is very porous.” The professional hacker/consultant/author was speaking more about cloud-based computer networks and the fearless use of WiFi by guests in public and private spaces and the overall “illusion of safety” in hotels.

But another hacker, 24-year-old security researcher Cody Brocious, took it a step further earlier this week. At the Black Hat security conference, he demonstrated what he called vulnerabilities with Onity hotel room locks. Forbes detailed the work in a recent story, and in it, Brocious said:

“With how stupidly simple this is, it wouldn't surprise me if a thousand other people have found this same vulnerability and sold it to other governments. An intern at the NSA could find this in five minutes.”

Scary stuff, and a detailed explanation (complicated to these low-tech eyes) can be found at Brocious' blog.

“In general, hotels are very safe,” said Frank Wolfe, CEO of HFTP, in a release directly responding to the Forbes story. “But, travelers have to remember that hotels also include public places, and should act accordingly. By following a few common sense practices, guests can remain secure in their surroundings.”

HFTP offered up several tips for travelers, from securing all valuables in the in-room safe to “ALWAYS” using the deadbolt and security latch.

What should hoteliers do? I'd check with your lock manufacturer, and make sure your staff is cognizant of its “porous” workspace. Klein said the simplest way to gain access to a hotel's network would be to buy a few cheap flash drives, drop a couple in the parking lot and lobby, and odds are some curious employee would pick one up and plug it into their computer behind the company firewall. And voilà , the hacker is in, and his Trojan virus is already working its evil magic.

Be aware, and be as prepared as possible.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.