|
|
|
Technology |
Is
it
|
Security
safe
?
|
This is ofTen The firsT quesTion from boTh guesTs and hoTeliers when The Topic of mobile key access comes up .
Contributed by Jennifer goforTH gregory
|
Where are two main issues regarding mobile key access security — keeping the room safe physically from unauthorized entry as well as protecting the hotel network and guest data from breaches ? Neither is a straightforward task , because hotels use multiple systems throughout the property and each access point with another vendor creates another avenue for a breach . “ It is extremely probable in a highly integrated hotel environment that an adversary can find a way to penetrate the network ,” says Ted Harrington , executive partner at Independent Security Evaluators and co-chair of the HTNG Door Lock Security working group .
idEntifying wEaknEssEs When buying a mobile key access solution , Harrington says hotels should put the product through a robust , manual , white box security assessment . “ The hotel industry currently uses cursory testing that typically covers only the first step in an adversary ’ s investigation before an attack ,” he says .
Many hotels add the mobile key access feature to one of their existing apps , such as guest loyalty ,
|
which leads Harrington to recommend again a white box security evaluation , similar to when purchasing a new product .
In fact , Starwood Hotels & Resorts hired an independent security firm to conduct “ penetration testing ” on both the locks and the SPG mobile app , used to open guestroom doors , to identify any vulnerabilities .
Encryption not full solution While many hoteliers and vendors focus on encryption , Harrington says that key management is as important . Most attackers do not try to break encryption but instead try to find mobile keys to decrypt . He recommends researching a vendor ’ s key management strategy and asking many questions about how the system handles key management .
Authentication — making sure users are who the system thinks they are and that they have the authority to open a specific door — is another security concern . Hilton Worldwide ties digital keys to specific phone numbers and guest accounts that cannot be shared or transferred to other devices . Every time a digital key is requested under an account , Hilton sends a confirmation to the email address in the guest ’ s HHonors profile confirming the request . training MattErs When Ashford Hospitality hotels launch mobile key access , the vendor visits the property for several days to train , including classroom and check-in assistance . The vendor also provides handbooks and guides to help the hotel onboard new employees .
Hilton reminds guests to secure their devices and to use secure passwords during
“ The hoTel indusTry currenTly uses cursory TesTing ThaT Typically covers only The firsT sTep in an adversary ’ s invesTigaTion before an aTTack .”
– Ted HarringTon check-in . In addition , guests are told to contact the front desk immediately if their phone is lost or stolen to deactivate the key . Hilton guests can hide their room number on the app so that no one can see it if the phone is lost or stolen .
“ Our guiding principle has been to create a digital key that is just as secure as a traditional key card ,” says Dana Shefsky , director of product innovation at Hilton . “ It ’ s important to remove any element of human error from the equation , and we do that by automating much of the process .”
May 2016 hotelsmag . com 51