The Hilton chain of hotels, a total of 11 brands, is rapidly increasing the degree to which customers can use their smart phones not only as reservation tools but as keys.
They have announced that guests will, by the end of this year, be able to use their smart phones to select their room at more than 4,000 hotels in 80 different countries. Then those same smart phones will begin to function as room keys in 2015. You can simply go straight to your room without stopping at the front desk. They report that “As part of its digital strategy, Hilton has made a commitment to enable all of its hotel rooms worldwide with technology that will allow guests to use their smartphones as keys. […] In 2015, Hilton will introduce technology that enables smartphones to be used as room keys, and all U.S. hotels across four of its brands will have this capability by the end of that year. By the end of 2016, the majority of its rooms system-wide will be equipped with this functionality.”
The thing is, hotels clearly choose convenience over security in the information systems the guests access. Hotels oriented toward business travelers use “captive portal” systems. Any device can connect to the wireless network but the router won’t forward packets until the device has been approved. Your attempt to establish an HTTP connection to anywhere is redirected to an internal server requiring that you first click a button promising that you have read the policy and then enter the password given (or sold) to you by the front desk. At that point your device’s MAC address has been registered for the next 24 hours and the router will forward packets between your system and the Internet.
What security does this provide?
For the hotel, they are protected in two ways. First, network availability and performance. This limits the total bandwidth used by the guests and prevents non-guests from using any. Second, the lawyers are satisfied as the hotel can say that misuse is not their fault, they only allow users who have promised to follow the rules.
But for guests, there is no security at all. There is absolutely no encryption at the wireless LAN level.
Hotel networks give you the opposite of what you pay in terms of network security. When you stay at a hostel, paying maybe $25-30 for a bed in a shared room, the wireness network will almost certainly run WPA2 with a long and complex key. When you stay at a high-end hotel catering to business travelers, there will be zero network security.
This makes economic sense. Most business travelers aren’t savvy about cybersecurity and only want the network to be easy to use. If the network was at all secure, many guests couldn’t figure it out. They would complain “It doesn’t work!” and would stay somewhere else the next time.
In Learning Tree’s System and Network Security Introduction course we talk some about the importance of risk analysis. I can simply choose not to use an insecure hotel wireless network, or to limit my critical use of it to secure protocols (SSH, POP/S, HTTPS). But when they network all room keys…
Use defense in depth! They will still have the metal latch on the inside of the door. Use it!