Ransomware Infects a Hotel's Key System

An anonymous reader writes: A luxury hotel "paid "thousands" in Bitcoin ransom to cybercriminals who hacked into their electronic key system. The "furious" hotel manager says it's the third time their electronic system has been attacked, though one local news site reports that "on the fourth attempt the hackers had no chance because the computers had been replaced and the latest security standards integrated, and some networks had been decoupled." The 111-year-old hotel is now planning to remove all their electronic locks, and return to old-fashioned door locks with real keys. But they're going public to warn other hotels -- some of which they say have also already been hit by ransomware.
UPDATE: The hotel's managing director has clarified today that despite press reports, "We were hacked, but nobody was locked in or out" of their rooms.

Yay, connectivity and IoT

[Anonymous+Brave+Guy]

Who thought it was a good idea for essential systems like this to be online in the first place?!

This is why the Internet of Things is such a horrible concept. Most things don't need to be online and connected to everything else, and the cost of trying to be trendy is huge increases in risks to the privacy, security and reliability of everyday items.

Closed networks do just fine for these kinds of systems, don't actually need to cost that much more, and have none of the vulnerabilities.

Re:Yay, connectivity and IoT

That's not the failure here. The failure here is that there's no way of manually unlocking the door from the inside. That has to be some sort of firecode violation.

The fact that the computer that ran that was also connected to the internet just compounds the problem. People should always be able to get out, no matter what's going on with the computer system.

Re: Yay, connectivity and IoT

[geoskd]

This has nothing to do with IoT.

This has everything to do with IoT. Its the same principles being used to design hardware and software that gets connected to the Internet. The root of the problem here is that the IoT is entirely unregulated. Anyone who wants to know what unregulated industry looks like: This is it. The free market simply will not correct this situation, because it has no mechanism to do so. Until the IoT is regulated, shit like this is just going to keep happening and escalating until something truly lethal happens, and then, *then* people will go "Oh my god, this needs some kind of regulation!".

Re: Yay, connectivity and IoT

[ShanghaiBill]

The free market simply will not correct this situation, because it has no mechanism to do so.

Yes it does: Civil law torts.

Until the IoT is regulated, shit like this is just going to keep happening

Regulation means that the spec is written by government bureaucrats, or (even worse) a congressional committee. That will lead to ossification and a focus on compliance checklists rather than real security.

This hotel had their card system hacked THREE TIMES, yet still had it connected to the Internet. You can't regulate away that level of stupidity.

Re: Yay, connectivity and IoT

[Kjella]

I know nothing about Austrian law, but in America this lock system would have been ILLEGAL, and I am astonished that something like this was ever designed and installed. It is a blatant violation of every fire code I have ever seen. Locking people out is fine, but you NEVER NEVER NEVER lock people IN, nor do you ever design something where human safety depends on software or electricity. Egress should always be possible using only mechanical means.

EU law is rarely softer than US law when it comes to consumer safety, so I doubt they were actually trapped. The problem is probably that this was tied into breaking the glass and setting off the fire alarm with sirens and unlocking all the rooms. While you could silence the sirens, everything would be open to theft and also you wouldn't have a working alarm in case of an actual fire so they probably asked their guests to stay while they tried to resolve it some other way. There's no requirement that the emergency exit should be functional as a backup system.

Re: Yay, connectivity and IoT

Indeed, fire code, building code, you name it. I am yet to come across a hotel here in Europe where you would have to use your key card to go out of the room.
This story is clearly overstating what happened. Yes it sucks of you're a hotel owner, and your card system gets hacked but if your guests could potentially get trapped in case of some malfunction, you're in deep trouble.

Ransomware locks hotel guests out of their Rooms

[khz6955]

What was the name of the ransomware, what was the name of the company that designed the locks, what OS did the reservation system run on, what OS did the cash desk system run on?

"Unless this is all just a big publicity stunt to advertise their new door locks."

Yea, that's it, a hotel would try and drum up business by advertising that its electronic door locks can be compromised.

Fire

[Patent+Lover]

I can understand people being locked out of their rooms. But if they're being locked in they're in massive violation of fire safety laws.

Daily Mail? Seriously?

[szy]

Daily Mail? Seriously? Out of all the media that covered this story extensively over the past couple of days, you picked to link to the daily mail as the source? Also including the clickbait phrase of "paid thousands" to refer to 2 bitcoins? The only hope is that slashdot community does what it's best at: does not read the article.

Re:Common Sense At Work

[torqer]

I think you're trying to condemn their decision, but personally, that sounds great to me. Horses, fireplaces, and physical security... not much to complain about... Given that your alternatives are cheap automobiles, dependence on fossil fuels for heating, and a security system that can track your every moment, and still get hacked and end up locked in (or out) of your room.

I'll take a wired home phone instead of a cell phone and eat food that was harvested locally as well.