Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lock Out: the Austrian Hotel That Was Hacked Four Times (bbc.com)

Posted by msmash on from the who-would-have-thought dept.

AmiMoJo shares a BBC report: Christoph Brandstatter is managing director of the four-star Seehotel, Jagerwirt, in Austria's Alps. His hotel's electronic door locks and other systems were hacked for ransom four times, between December 2016 and January 2017. "We got a ransomware mail which was hidden in a bill from Telekom Austria." His hotel's door keys became unusable after he clicked on a link to his bill. So was his hard drive. "Actually, as a small business you do not really think that anybody's interested in you for hacking, so we had no plan what to do," he recalls. He paid a ransom of two bitcoins, saying "at that time it was about $1,882." He has now installed firewalls and new antivirus software, and has trained his staff to recognise phishing emails that may seem genuine but actually contain malware. And he's moved back to traditional metal keys.

9 of 53 comments (clear)

  1. Perhaps he should try ... by ei4anb · · Score: 2

    not connecting his email reading Internet browsing PC to his hotel door lock system?

  2. Re:get doors offline idiots! by JaredOfEuropa · · Score: 2

    It's not about the smartness... electronic locks probably don't make much sense in your home, but in a hotel they are a godsent compared to old fashioned locks. But you might want to run the key management software (along with climate control, bookkeeping software and so on) on a separate workstation that is isolated from the Internet.

    --
    If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
  3. Because you paid the ransom by twebb72 · · Score: 2

    He paid a ransom of two bitcoins, saying "at that time it was about $1,882."

    There's your mistake. Once your hack results in profit, it's easier to keep a 'customer' than find new ones

  4. Re:Magnets! by Rockoon · · Score: 2

    I would think that these electronic locks have to "fail unlocked" if the power is cut.

    --
    "His name was James Damore."
  5. Re:Magnets! by DontBeAMoran · · Score: 3, Funny

    That's a good idea but... how do they fucking work?

    --
    #DeleteFacebook
  6. Re:Javascript to the rescue again! by FeelGood314 · · Score: 3

    I am endlessly frustrated by security companies and banks who's webs don't work without javascript enabled. I want to browse the web with javascript disabled but the companies that should be offering the most security are working against me. Why the hell are dark net sites run by just a few individuals more secure than my multi billion dollar bank?

  7. Re:Magnets! by TechyImmigrant · · Score: 2

    Many electronic locks contain an old school relay. These can almost all be opened by putting a good strong magnet it the right spot.

    Hotels should keep a supply of rare earth magnets, as backup keys.

    I once demonstrated this to a hotel staff member who couldn't get into the room next door. The irony was that I was staying at the hotel because there was a lock manufacturer's conference downstairs and half the people in the hotel were capable of bypassing the locks. I suspect the hotel member couldn't get in the door because the occupant had disabled the electronic lock. Spend a few hours with an electronic lock in a fixture on your desk and a screwdriver and you will learn how secure they are.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  8. Just in case I'm the only one keeping track . . . by sgt_doom · · Score: 2

    . . . . to date, since 2012, the US gov't and private sector has been hacked over 3,270,000,000 (> 3 billion 270 million) times - - - and note, I typed OVER! So the exact number is still unknown.

  9. Are we done now berating him? by Opportunist · · Score: 4, Interesting

    I happen to know this case. And I happen to know security in hotels in general, and even in some in Austria in particular. Here's the problem, you're cordially invited to provide a solution.

    You're dealing with people that are total computer illiterates. And I mean total. They maybe learned a thing or two about using them, they might even have managed to navigate an ECDL course which is basically a glorified way of saying "I can turn on a computer without it instantly exploding", but their expertise and actual training is in something completely different. Many of them actually do not like computers AT ALL. They much prefer dealing with people, else they would not have chosen that occupation.

    These people are now chronically understaffed, overworked and stressed. They're supposed to greet people, hand them their keys, do bills, handle the phone and of course email. And no, simply hiring more people isn't possible, there are no more people you could hire. We're talking about a highly seasonal business where there are either too many or too few people available, hence no more want to go into the profession while at the same time during season you can't get anyone. Not even for obscene amounts of money.

    On top of all this, you're dealing with ... how do I put this nicely... a rather mafia-like system in place that keeps the number of companies that could actually offer solutions low. Most hotel software is crap. And most hotels would gladly choose something else, if they could. But for some odd reason those systems that are offered can be offered surprisingly cheap (it MIGHT have to do with some semi-public agencies (an Austrian concept, don't ask) that curiously prefer to fund and subsidize those products), while you would certainly not qualify for such subsidies. The cynic in me would add "at least 'til you find the right politician to pay the kickback to", but no, there is no corruption in Europe. None at all. Maybe in Italy, Spain and Greece, but certainly not in the "good" states in central Europe.

    So, now you have the basics in, let the rest sink in too. Like a fluctuation that's CRAZY. Average tenure of your workers is measured in weeks. Months if you're lucky. Training them is money you throw into the chimney, for the benefit of whoever they work for next. So if you think that you could raise awareness and give your workers an idea what to look for, ponder whether you'll still have that receptionist after the season is over. There is zero security awareness among your workers.

    Then the fact that you pretty much HAVE TO open every email you get, and that crappy spelling is something that doesn't faze you anymore because you're dealing with people from all over the planet, many of them wanting to boast just how well they speak your language when they actually don't. Some of them required to actually send you attachments for legal reasons, with the oddest formats you will ever encounter. In other words, the chance that some viewer for an esoteric format is installed and WAY out of date because nobody had a minute of time to update it in the past 3 months is likely.

    The situation is not easy and I was actually involved in a similar case where pretty much every solution we came up with ended up being shot down for one of these reasons (and some more, but I don't want to bore you more than necessary). Hotels are rather complicated beasts to secure. Twice so in Austria with its very ... special circumstances, legal oddities and seasonal requirements.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.