Unlocking Mobile App Vulnerabilities in Hotel Room Keys

To improve the guest experience and keep pace with competition, hotels worldwide are deploying digital key technology that allows guests to skip the front desk and use their mobile apps to remotely check in and go directly into their rooms without needing key cards. And when it’s time to leave, travelers can use the hotel’s app to remotely check out.

However, hotel mobile apps have vulnerabilities that can be exploited. In August, two researchers speaking at the Black Hat USA 2019 conference in Las Vegas announced that in April 2019 they broke into a room at a high-end hotel in Germany by hacking into its mobile app hotel key system.

While the initiative was only a demonstration, it speaks to the potential security threats that hotels and organizationes in general face as they deploy mobile apps and Internet of Things (IoT) devices.

Benefits of Digital Room Keys

Hotel mobile apps are growing in popularity as 40% of guests use mobile apps as a one-stop shop for accessing hotel services, from ordering room service and requesting room amenities to texting hotel staff for assistance, according to a 2018 survey by the American Hotel & Lodging Association.

Hotel executives say guests increasingly expect mobile entry when they make their booking decisions. In fact, the percentage of hotels that offer digital room keys has nearly tripled, from 6% in 2016 to 17% in 2018, the survey found. For example, Marriott International and Hyatt expect to roll out digital keys to all of their properties by the end of 2020. Hilton has already deployed the technology to 75% of its properties, according to a recent New York Times article.

In some hotels, guests can touch a button on their mobile app to unlock their hotel room doors and access elevators, fitness centers and other common areas. In other hotels, guests simply have to hold their smartphone next to the lock to unlock a door.

For hotels, other benefits of mobile room keys include:

• Improves service by enabling customers to bypass the front desk lines and go directly to their rooms
• Boosts revenue by encouraging guests to book directly from the hotel’s mobile app
• Improves efficiency by freeing front desk staff to focus on other customer service needs
• Eliminates the hassle of replacing lost or demagnetized key cards
• Saves money by reducing the need to purchase replacement key cards

Hacking into a Mobile Key System

The two researchers – German hackers named “Ray” and Michael Huebler – showed in their Black Hat session how they easily hacked into the digital key system at the high-end German hotel by using wireless sniffing tools as cooperating guests opened their doors, according to a Threatpost article.

The German hotel uses a mobile key system that features doors with IoT locks and the hotel’s mobile app, which connects to the locks through Bluetooth Low Energy (BTLE), a low-cost Bluetooth variant that consumes less power. “All together, there’s quite a lot of attack vectors there,” Ray said.

After monitoring the wireless traffic and inspecting the credential packets, the researchers discovered that the mobile key system was vulnerable to a key stealing attack. They developed a hybrid hardware/software exploit that allowed them to break into a cooperating guest room to prove its effectiveness.

After the successful proof of exploitability in April, the researchers notified the lock vendor who acknowledged the vulnerability in May and announced plans to update its system in June. However, during their August conference talk at Black Hat, the two researchers said the vendor had yet to patch its system and the hotel whose app they hacked into still used the same mobile app and locks to control entry to guest rooms, elevators and the fitness center. The researchers revealed that other hotel chains also use the same vendor’s mobile key system, so the vulnerability exists beyond the one German hotel. It is unknown how widespread the risk is.

The mobile digital lock vendor faces several challenges to securing its digital key system: some systems use centralized management systems that can be updated online, while other hotels require employees to go door-to-door to make the update. Furthermore, multiple hotel mobile app developers will have to upgrade their mobile apps by integrating with an updated mobile lock SDK when a fix is available.

“Interesting to us was the fact that we obviously were the first to discover such a vulnerability and that the system we found it in was not a cheap motel, but an upper-class house,” the two researchers said in an interview published on Black Hat’s website. “Also, it was interesting to see what it takes to get such an exploit from a theoretical proof-of-concept to something that could be used in real life to steal a key and enter a room.”

Why to Invest in Mobile AppSec Testing

While the two researchers’ efforts serve as a proof-of concept of the exploitability of one vendor’s specific technology, there are no other widely reported incidents.

However, the fact that hackers could break into one hotel mobile key system shows the dangers consumer organizationes face as mobile apps become more popular and account for a larger piece of their revenue stream.

Hotels must regularly test the security and privacy of their mobile apps — especially the newer mobile app portion of their digital room key systems. Proper testing procedures can protect the organization and customers from security vulnerabilities and privacy flaws that can damage brand reputation and result in customer loss and fines. Mobile IoT system vendors such as the lock manufacturer must also properly security test their SDK and Bluetooth locking mechanisms.

To learn how organization leaders in retail, travel and hospitality can better secure their apps, download the NowSecure ebook, “Why Mobile App Security & Privacy Matter to Consumer Brands.”