Hotel guestroom door locks and keycard systems that are connected to the internet pose security risks, technology experts say, but there’s also some widespread misconception about the nature of those risks.
The physical and digital security of hotel guestroom door locks has been a hot topic in the news lately, with the sometimes-sensationalized story of a hacker who extracted a ransom for a hotel’s keycard system.
For some clarity on the issue, Hotel News Now reached out to tech experts who explained what can and can’t happen with electronic door locks, what is vulnerable and how hoteliers can protect their properties and their guests from hackers.
Guestroom door locks were traditionally treated as a piece of equipment maintained by a maintenance/building facilities engineer, said Armand Rabinowitz, senior director of strategy and workgroups at Hotel Technology Next Generation. This employee didn’t tend to be well-versed in technology unless they happened to be so for another reason, he said.
“That has changed as the position has become increasingly more technical,” he said. “Ten years ago, electronic locks didn’t need to be, nor were (they) connected to the internet.”
Locks were connected to an encoder or local serial connection, he said, which is a basic protocol that doesn’t travel across internet-connected devices. The physical protocol became outdated as hotels moved to IP-based connections, he said, which requires hoteliers to be careful in how they implement the system.
Everything at Greenwood Hospitality’s properties is on a guarded back-office, closed network, said Paul Wood, VP of revenue generation. The network is scanned for malware and viruses, he said. Locks are sequenced with encoders, he said, and this is a safe process as long as hotels have the system set up correctly.
The code connects the guest key with the lock, he said. Once it hits checkout time, the sequence says it’s time, and the keycard access shuts off.
“From a safety factor/feature perspective, it’s been this way more than 20 years,” he said. “The industry has it down pat.”
Systems today have a long history in the industry, Rabinowitz said, and they’re widely adopted in the world. In most cases, the communication protocols between online door locks are so limited that to transmit a code that would constitute a virus is challenging, if not impossible, he said.
“There would have to be a physical compromise to the point of replacing parts, rendering it unusual by the existing system,” he said.
Training and policies
Hotel managers should treat a door lock system like any other valuable IT asset, Rabinowitz said. That means ensuring all implementation security standards have been put in place for both physical and remote access, he said. There also should be an update process to ensure the system is running on the latest software, he said, and antivirus and security software must be installed on all machines that touch or run any of the lock system-based software.