Are Smart Hotel Rooms Smart Enough to Protect Your Privacy?

As executive protection professionals, it’s our mission to protect our clients from all manner of threats. In an increasingly connected world, we must also help protect their data and their privacy.

Now that the Internet of Things (IoT) is becoming increasingly integrated all around us, it’s time to consider the consequences of the IoT devices rapid proliferation in hotels. For executive protection professionals, the increased use of the IoT in hospitality settings will impact how we do advances and perform details. Everyone interested in secure travel would do well to consider the potential risks from these devices and how best to protect themselves and their data.

In this blog, we discuss some of the ways these devices are used to access personal information and hack hotel networks and consider some best practices to ensure our principals and others are properly protected.

With the recent revelation that 500 million guest accounts in a major hotel chain’s reservation system had been hacked, hotel cybersecurity is once again making headlines and giving headaches. Whether the breach was due to a phishing email, a server break-in, or a virus, the takeaways are as clear as they are disturbing: Hotels have tons of personal data, they are vulnerable to cyber-attacks, and they urgently need to up their game to protect their guests and themselves.

Although hotels have for years collected guest data such as names, addresses, emails, credit card and passport numbers, they are now poised to gather even more personal information. There is plenty of room at the inn for the IoT, and smart hotel rooms are one of the hottest trends in the industry today. As the IoT becomes increasingly embedded in hotels, the amount of personal data hotels collect about their guests will increase exponentially.

Smart hotel rooms are already here, but this is just the beginning.

While a hotel’s IoT light switch might not look any different than the one in your grandmother’s house, it is.  Every IoT device in a hotel, big or small, can be connected to the internet, the hotel’s servers and the guest’s devices.

The smart hotel room promises the personalization of everything from the temperature of a morning shower to when window shades open and close. In addition to light switches, smart TVs, temperature controls, alarm clocks with USB ports – and more – will also be connected. Guests will soon be able to set these things remotely, so the rooms they check into after a long day of meetings is precisely to their liking.

Hotels have other reasons than the guest experience to increase their adaptation of IoT devices.  Brands will wield their IoT conveniences to differentiate properties and compete for market share. Smart mini-bars and additional online services will bring in more revenue. Don’t forget that reams of data harvested from guests interacting with all these smart things will make predictive algorithms about customers more intelligent than ever. Chains are already offering smart rooms featuring Alexa for Hospitality. More Voice User Interfaces (VUIs) in hotels are sure to come, fast.

Are these hotel rooms smart enough to keep me safe and protect my privacy?

Gartner estimates that the number of IoT devices deployed worldwide will practically double from 11 billion in 2018 to 20 billion in 2020. A recent trip to Europe demonstrates that hotels are doing their part to keep up with this astounding proliferation. At just one five-star hotel, we counted 35 IoT devices in a single room. Multiply this by the hotel’s 200 rooms, and you get 7,000 IoT devices on one property – and 7,000 new opportunities for the bad guys to do harm.

Every IoT device can potentially be hacked to access hotel servers and provide access to guests’ personal information or disrupt hotel security. All these convenient IoT devices can also open a backdoor to guests’ smartphones and personal computers to reveal their personal data or download viruses and spyware.

There’s something fishy going on in that aquarium

If you think all of this sounds farfetched and alarmist, consider a recent real-world example in which hackers attacked a North American casino hotel via an aquarium to steal data on the high rollers staying there. Here’s the story in seven bullets:

1. A thermostat in an aquarium located in the hotel lobby was connected to the hotel’s servers and the internet.
2. The hackers compromised the thermostat and gained control of it.
3. The hackers then found and accessed the hotel’s servers via the hotel network.
4. The hackers attacked the hotel server.
5. Once into the server, the hackers breached the hotel database.
6. From the database, hackers extracted high-roller information and exported the data back to the thermostat.
7. The hackers then downloaded the high-roller data from the thermostat to their own computer.

While hotels have made significant investments to protect their networks from traditional attacks, the IoT ushers in completely new dimensions of risk for which they are not prepared. Let’s look at the three main vulnerabilities and what hoteliers can do about them.

1. Protecting hotel infrastructure against IoT vulnerabilities

As mentioned above, there are more and more IoT devices connected to hotel infrastructure. These include devices related to physical access control, CCTV, HVAC, electronic key card systems, fire detection & suppression systems and more.

All of these devices can be hacked, often quite easily, to disrupt hotel operations, impact employee effectiveness, impair the guest experience, and erode the bottom line. Moreover, hotel operations can be compromised and held ransom by the hackers. In a worst-case scenario, CCTV security cameras could be hacked to facilitate an attack or robbery.

A real-world example: In 2017 a four-star hotel in Austria was targeted by hackers – and it wasn’t the first time. The attack began with a phishing email. Once opened by an unsuspecting hotel employee, the hackers accessed the hotel network.  This, in turn, gave them access to the hotel’s electronic key card infrastructure and let them disable the key coding machine. The hotel, which was booked to capacity, could suddenly no longer make keys for incoming guests. The hackers then demanded a Bitcoin ransom in exchange for getting the system back up and running.

What hotels can do to mitigate risk:

1. Educate employees about the dangers of phishing email attacks. Bring in a specialist to teach employees how to identify and prevent such attacks.
2. Change the default usernames and passwords on all IoT devices. Far too many fail to do this to strengthen front-line defense, thus enabling botnet attacks.
3. Ensure that any outside technicians or maintenance teams working on property are accompanied and do not have unauthorized access to networked computers.
4. Create discrete, firewalled networks that separate IoT devices from hotel business, guest and visitor wi-fi.

2. Protecting hotel guest room privacy against IoT vulnerabilities

The sheer number of IoT devices in hotel rooms, which will only increase in the future, provides hackers with significant opportunities to invade guests’ privacy and access their personal devices.

This can be done in many ways, for example:

• Watching and filming via cameras on TVs
• Listening through VUI devices
• Hacking guest phones through USB chargers

A real-world example: In 2015, during talks on the Iran nuclear deal at a five-star hotel in Geneva, hackers successfully eavesdropped on confidential discussions by accessing smart TVs in meeting rooms (among other methods). The presence of VUIs in guest or conference rooms only increases this vulnerability.

What guests and hotels can do to mitigate risk:

1. Turning off smart TVs or VUIs is not enough to ensure privacy. If discussions or other activities in the room are confidential, it is best practice to unplug all TVs and VUIs.
2. Do not use the room’s USB ports and standard cables to charge your phone or tablet. Instead, plug your own charger directly into an electrical outlet, or be sure to use accessories such as those available from Porta Pow that allow charging but block the transfer of data to and from your personal devices. Data-blocking USBs are available, as well as data-blocking USB charging cables for both Apple and Android devices.
3. Hotels should place all guest room IoT devices on a network separate from the hotel server.
4. Smart TVs and VUIs should be monitored by Intrusion Detection Systems in order to detect attacks on these devices in real time.
5. Ensure that your cybersecurity provider has expertise not just in network security, but also IoT protection.

3. Protecting hotel information systems against IoT vulnerabilities

Hotel information systems contain everything from guest contact information and credit card numbers to hotel financial records, employee files, and security protocols. They are also connected to key card and FLS systems. They do not necessarily have to be connected to all IoT devices.

The proliferation of IoT devices on a hotel’s network exponentially increases vulnerability to attack. The ramifications of your information systems being compromised are considerable both financially and in public relations.

What hotels can do to mitigate risk:

1. Isolate all IoT devices that do not have to be connected to the hotel information system on a separate network.
2. Systems that need to be connected to the hotel’s internal business network should be carefully set up by expert consultants to ensure that only minimum access is granted to these devices.
3. Any IoT devices that do not require internet access should be isolated from the worldwide internet.

We don’t want to stop progress, but we do want to improve security

Hotels’ adaptation of the IoT is happening fast, and smart rooms will increasingly enhance the guest experience and increase operators’ efficiency and profitability. The security industry is not here to stop that.  Rather, it’s our job to enable business and help provide hospitality-friendly, creative, and realistic security solutions for our clients.

As with all security, the importance of educating employees cannot be stressed highly enough. Regular training on cyber and internet security, now enhanced to include IoT security, must be provided to all employees on an ongoing basis – preferably bi-annually. This training, coupled with the use of qualified, experienced consultants who are not only network security specialists but also IoT security experts, will provide an excellent starting point for protecting hotels and guests.