Slashdot Mirror
Smartphone App To Be Used As Hotel Room Keys
An anonymous reader writes Starwood Hotels and Resorts has became the first chain to let guests unlock doors with their phones at 10 Aloft, Element and W hotels. They hope to expand the program to 140 more properties in those brands by the middle of next year. From the article: "The technology's developer says that it uses its own encrypted secure channel to ensure thieves cannot abuse the innovation. But one expert had reservations. "Nothing is 100% secure, and once this technology is in widespread use it will make a very tasty target for hackers," said Prof Alan Woodward from the University of Surrey's department of computing.
With an active CPU behind it, certainly this system can be more secure than the current card system. Also means much less chance of leaving the card in the room and less money spent replacing lost cards.
Somehow i expect in couple weeks we read news how someone has cracked this system and provedn their encrypted channel to be useless..
I was at a Starwood hotel two weeks ago and I was not offered such an opportunity.
I feel robbed.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
It's using it's own, encrypted, secure channel that happens to be accessible from my phone.
So it's handled by NFC, Bluetooth, Wifi, the cell radio, the speakers, or the display, in that order of likelihood.
The communication channel is the least of their worries, however. With only a little bit of effort, these can all be implemented more securely than magstrip cards.
The problem is that it'll all be accessible by an internet-connected PC at the front desk, allowing a remote (or local) attacker to create a master key on their phone, no magstripe hardware needed.
Then Starwood can access all our social media, track our exact location, and get access to our entire list of contacts.
That's what I want!
An app can hardly be less secure than the current system. Knowing the target's name and room number is all it takes to "hack" most hotel locks - just ask the front desk clerk to make you a new key!
0 1 - just my two bits
"I'll put my phone on charge. Oh dear the charger is in my hotel room".
You just know how this will end.
Another nice side-effect of this is instead of having to throw my room key onto the stage, I can just throw a paper airplane with the key printed under a sexy photo.
It's secure, trust us ... and you'll also have to trust we won't abuse the access to your phone for our own purposes.
Yeah, sorry, no ... no interest in installing an app for something like this. Give me an old school key card.
Other than saying "ZOMG, teh smart phone opens teh hotel door" ... I really don't see the point. And I really don't see why we'd trust them.
Lost at C:>. Found at C.
It doesn't matter. The current card security system is as about as insecure as it could possibly get and still have a door in the frame.
After an incident at a hotel a few years ago where our door lock failed and ruined our stay... and a subsequent discussion with their maintenance man about how the card systems work I had a suspicion and tried my card on the room across the hall. Low and behold my card would work on any room in the building. Since then I've made a habit of testing my card on random, seemingly vacant rooms at other hotels. To my surprise I've had it actually work several times.
Now I deadbolt it when I'm in the room, and don't leaving anything valuable in there at all. I even keep my suitcase in the trunk when I leave if I have my car there. The hotel I had my honeymoon in didn't have a deadbolt or chain. Sure enough, the morning after our wedding cleanign tried to come in. Lucky for me I'm super paranoid so she just ended up slamming the door into the mini-fridge I'd slid in front of the door the previous night. Before I even had my pants on she was down there with their security manager trying to force the door open. I yelled "Go talk to the front desk before you break into my room morons" before forcing the door shut with my foot and holding it. They weren't happy. I now carry a wedge shaped piece of oak with me to any hotel.
So as you can see, I would consider such a system to be secure - at least, secure enough for my purposes.
will end well.
This is the potential future of convenience. With NFC and actual secure chips, you should be able to use your phone for ID verification, boarding passes, purchases, hotel rentals, rental car "keys", and everything else you need.
Properly implemented, it would have as much or more security than just about every other common form used for any of the areas above. Of course, we all know they're going to fumble the security part, so hopefully it won't be any worse that what we already have.
Is it just my observation, or are there way too many stupid people in the world?
I was at a hotel chain about 10 years ago that was using magstripe cards for room entry. Checked in, walked up to my room, swiped my card, and got no green light. Tried it again, no light. Just out of curiosity, I tried the handle and the door opened. Called down to the front desk to let them know my card wasn't working right, and they sent a maintenance guy up to fix it. The fix, a torx screwdriver and 4 AA batteries. When the batteries went dead, the door defaulted to open. With insecurity by default, what's to stop someone from walking up to a door with a small power screwdriver, pulling a battery, and walking into your room in about the same time as it takes you to swipe a card and get in?
With my first mobile phone, I could beat down the door on a bank vault. Hotel doors wouldn't stand a chance.
Modest doubt is called the beacon of the wise. - William Shakespeare
Yes, it isn't as secure, but this is a hotel where all the maids and the front desk have keys anyway.
The real trick to security is not to maximize it, but instead to give the appropriate level of security for the situation.
excitingthingstodo.blogspot.com
Can someone in the room next to mine wirelessly hack my door?
Any good locksmith will tell you that the best a lock can do is increase the amount of time it takes someone to break in -- it can't prevent the break in. But a person attempting to pick a lock in a hallway is a lot more conspicuous than a transmitter hidden next door.
I have to wonder what other data from your smartphone that hotel key app is collecting and sending on to "the cloud"...
I don't have a smartphone, by choice.
Seriously, though. Doing everything with that easily lost/stolen/dead battery phone just sounds like a bad idea to me. Monoculture, anyone?
Hotel door app requires access to contacts, shared files, camera, microphone, GPS, SMS, internet, dropbox, google drive, online banking, ....
The current system is sufficient to purpose, but few people know how it works. Here is how: The lock stores a list of 10,000 keycodes in random order. The front desk has the same list. At installation (or reset) the lock will open for any of the first couple of codes on the list. Once a code is used, any code earlier on the list is no longer valid but the next few become valid. This way the front desk can issue a new code that will be accepted, without communicating with the lock itself. My own view is that if the new system allows one-hend entry, that is a big win.
Phone's dead. And the charger's in the room.
Coder's Stone: The programming language quick ref for iPad
How will this be implemented? Even in this day and age, I suspect there can be customers who do not have smartphones with bluetooth. (For instance, some people feel more comfortable carrying "dumb" phones that are less hackable and less prone to data breeches if stolen, because they don't have usable data on them.)
Having a card key as a backup to bluetooth would be ok for a pilot program, but over the long term it seems like such a dual system would not be significantly more secure than a card key only system.
So, how to accomodate non-smartphone users? Different floors with bluetooth vs card key? Just don't go to that hotel?
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Leave your card, take your phone. If, by some chance, you manage to have a completely dead phone when you get back to the hotel, you just get a physical card from the front desk, or they plug in your phone for 2 minutes and you go up and get in normally.
Is it just my observation, or are there way too many stupid people in the world?
Is eventually force everyone to carry a smart phone, to do the simplest things.
"If any question why we died, Tell them because our fathers lied."
No, nothing is 100% secure ... did someone say it was? I could just take a fire axe to the door.
The security for THEM can be more or less secure than current. I don't want their apps shuffling through my shit on my phone. The only way I would use something like this is if I was using Cyanogenmod and over-rode their apps security settings and kept it locked out of everything. I'm not even sure that is trustworthy enough for most crap though. There really needs to be a virtual phone within a phone that can keep each app sandboxed to what it thinks is an entire real phone.
Digital is, by definition, imperfect. Analog is the way to go.
What we need is an independent programmable NFC circuitry on the phone, which could run of off the electricity induced by radio-waves in the reader (door lock). This way the NFC still works even when the phone’s battery is dead.
No check-in access is what this is about. I recently checked into a Go Native hotel in London. This is a hybrid property that stands between a hotel and a service apartment. The rates were great. But this meant there was no-one on a night desk. Gaining access at my check in time (Midnight) was a PITA. I had to call the 24 hour number (a living human) to get an entry code for the front door (giving my reservation number as a parole). Then, at the same time, another one-off pin for a little lobby safe was given to me as well. In the little safe I found my key card and room number. I remember thinking at the time that a smartphone app for this type of budget or off hours property would be the ticket and wondered if Go Native had one I had missed (but I did not go so far as to consider the phone as the key itself). It all worked kludgy as it was. The accommodation was fine by the way. A bit like a really nice dorm.
As for real security in a hotel? Fugedaboudid. Especially If you are not in the room. If you are in the room, then use the deadbolt and the privacy lock. Really valuable stuff (if you happen to have it) should go in the hotel safe with a receipt. Or in the room safe. But, really, smart phones are are going to be at least as safe as those programmable cards, keys, Ving cards. A hotel room is shared quarters. Just use a black light if you don't believe me. On second thought you really don't want to use a black light.. Hertz Gold rent a car lets you grab the wheels and go without a counter check in (the bonafides are done up front when you join the program). So this is kinda cool. Get your room number by text and download your BT access code into your app and you are set -- and nobody needs to see you... or your date.
"No fear. No envy. No meanness." Liam Clancy
Hotel rooms generally have, in addition to card mechanisms, basic tumbler locks. So I doubt any would-be intruder worth his salt would choose to try and crack a crypto app instead of just picking the lock.
Doesn't that make you feel just dandy?
And I'm sure it will work well.
Right up until your battery dies as you're walking back to your room late at night.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
In a just universe, whenever some knob uttered a platitude like that, they'd be struck by lightning or a meteor or turned into a pillar of salt.
yes, I definitely would prefer a potentially secure wireless protocol over an obviously insecure physical key. this is a no-brainer! even better: make it a public, *STANDARD* secure wireless protocol, preferably exactly the same one I use to authorize NFC payments from my phone.
Just use the phone's wi-fi MAC address as a unique identifier, no software needed. The only benefit of software being A) by-pass check-in and going straight to the allotted room, plus B) a challenge-response system for extra security. The downside being A) software can snoop on one's contact list and memory card, plus B) simplified procedures reduces security.