Slashdot Mirror
Ransomware Infects a Hotel's Key System (dailymail.co.uk)
An anonymous reader writes:
A luxury hotel "paid "thousands" in Bitcoin ransom to cybercriminals who hacked into their electronic key system. The "furious" hotel manager says it's the third time their electronic system has been attacked, though one local news site reports that "on the fourth attempt the hackers had no chance because the computers had been replaced and the latest security standards integrated, and some networks had been decoupled." The 111-year-old hotel is now planning to remove all their electronic locks, and return to old-fashioned door locks with real keys. But they're going public to warn other hotels -- some of which they say have also already been hit by ransomware.
UPDATE: The hotel's managing director has clarified today that despite press reports, "We were hacked, but nobody was locked in or out" of their rooms.
UPDATE: The hotel's managing director has clarified today that despite press reports, "We were hacked, but nobody was locked in or out" of their rooms.
That's crap you usually hear from "3rd-world-countries" like india or pakistan ("30 burned to death because emergency exits where locked")!
I can only hope the Fire-Marshall or whatever they call them there is going to kick the Hotel's ass!
Probably the network the hotel was connected to was already reasonably firewalled or maybe even inside some virtual chain intranet. But such networks are still very easy to hack because of shitty update policies, microsoft windows, and attachment.zip.exe.
It doesn't need to be "thing that talks with cloud and you talk with cloud to talk with thing" like IOT to be hackable.
The article doesn't specify the exact system or how it was compromised, so unless you have some other source to share, none of us know whether the devices that were compromised in this specific case were directly Internet-connected. Some modern hotel systems are. It could also be that the repeated hacks in this case accessed the room key system indirectly via some other system that was compromised first. The fundamental issues raised are the same either way.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
... easy to hack because of shitty update policies, [...], and attachment.zip.exe.
Agree, and it's because the hotel thinks the bottom line is accounts payable/accounts receivable where revenue exceeds expenses.
Loss-prevention is a cost of doing business.
Hotels can pay for that up front, or pay for it later.
Delay is expensive.
As discussed in TFS, they have to pay the ransom and then go back and pay to harden the system.
It little behooves the best of us to comment on the rest of us.
If, and yes, I mean "if", this were a key card only system then the lock doesn't need to communicate with the key making system at all. It just needs a token that increments with each next guest's card. When the token increments, the key cards from the prior guest stop working. When I worked at a hotel this is how the system worked. The key-making system was completely isolated. The desk person poked the room number on a key pad and the key programming box spit out a key. All it did was open that room's door.
The system in the article is what happens when you want to use your key card for all the other stuff in a hotel, like the restaurant, gift shop, etc, to be charged using the key. All the comments about key card systems not needing to be connected miss this detail. The hotel in question was almost certainly using an integrated billing-via-key card system, not just a key card system. The integrated system needs to communicate outside to approve credit cards, email a copy of your receipt, etc, etc, and thus the security weakness.
Who thought it was a good idea for essential systems like this to be online in the first place?!
Someone who understands their most profitable customers: business customers. If your business customers can check-in online through the app and be assigned a room which they can unlock from their phone without ever interacting with the front desk.
"Thank you Samantha for picking Great Hotel again. Your room number is 352. Click here to unlock the door. If you have any problems or questions please dial ## or stop by the front desk."
Obviously the devil is in the details but NFC keycards aren't going anywhere (no changing locks and lost keys) and internet aware locks are the obvious next step of convenience and cost cutting.