The Internet of Things trend sees appliances, home entertainment devices, vehicles, and many more things being connected to the Internet. A related trend replaces even more mundane things with Internet connectivity. Keys are a recent addition to the trend.
A few days before a recent trip in which I would stay in a Hilton hotel, I received an email inviting me to “check in” by signing into their web site and selecting a room. As I would be staying at the BWI Airport Hilton, the second Hilton property to adopt the technology and one of only about 16 so far, I could use the new Digital Key system and thereby get 2,500 bonus points. Sure, let’s try it out.
You have to install the Hilton HHonors app and tell it your HHonors number and password. Then, once your room is ready, data will be available the next time you start the app.
I arrived early and asked if I would be able to check in early. And, which side of the hotel was my room on? I had accepted the pre-assigned room earlier but wanted a room looking toward the airport so I could watch the planes. The desk clerk said both were possible, she would just have to “put the change into the system,” speaking as though there was a massive mainframe in the back room with blinking lights and spinning tape drives. Really, the change went from the PC at the desk out to Hilton’s servers “in the cloud”, and from there it was pushed to the running app on my phone. About 20 seconds later, there it was.
I had assumed it would use NFC (or Near-Field Communication), easier to integrate with the proximity sensors already in use at some hotels. On those you hold the key card near the disk on the door exterior, there is no slot in which to dip it.
But the phone-based system uses Bluetooth to communicate with what look like conventional hotel door locks with slots for magnetic key cards. The bottom of the lock mechanism has the usual coaxial DC power connector and 1/8″ jack for over-riding with a handheld device.
The desk clerk gave me a key card “just in case” as things had been a little flaky, and warned me that once I used the magnetic card the Bluetooth method would no longer be accepted. My HHonors point status gave me access to the Concierge Lounge on the top floor, and the virtual key would also work there.
The app says to get within five feet, but it would usually detect the door and work within ten to fifteen feet. The app has detected a door that it knows how to unlock, and shows you which it is — “My Room” or “Concierge Lounge”. You press the circle: blinking, wait, blinking, wait, after about 5 seconds the door unlocks. The green LED on the door lights, and the app shows “Unlocked!”
I use a several-generation-old Samsung Galaxy S2, and it’s the uncommon T-Mobile-only “Hercules” variant of that. On top of the hardware obscurity, I’m running CyanogenMod instead of the stock Android OS. But it worked fine.
The biggest glitch was unrelated: the Concierge Lounge door lock was installed upside down so you had to lift the handle rather than press down as usual!
I don’t really have high expectations for hotel door lock security to start with, so I don’t see this as making things any worse. The standard Onity hotel locks were spectacularly hacked a few years ago.
Bluetooth makes this hackable at a greater distance than NFC. I’ve seen nothing about how this actually works, but I doubt that there’s a terribly complex protocol between the phone and the door. Could simple Bluetooth sniffing and replay defeat this? I hope not, but I don’t know. I’ll keep an eye on this.
The default is that your room appears in the app simply as “My Room”. You can have it display your room number as a reminder, but you are warned against this and have to change the default. Good! That’s like how current key cards don’t have room numbers.
I got “My Room” and “Concierge Lounge” when near those two places, but the phone also successfully discovered “Main” in the lobby near the elevators. I could apparently unlock whatever this was, getting the successful “Unlocked!” indication on the phone, but no secret doorway swung open. I tried it a number of times in the area, but couldn’t see anything happening and I couldn’t figure out where the signal was coming from.
We talk about multi-factor authentication in Learning Tree’s System and Network Security Introduction course, but this isn’t really that.
Just like the old-school metal keys, it’s simply something you have. PIN unlock of the phone screen would add a second factor of something you know.
That is, as far as security goes. But to use it, it’s something you have, and have charged, and on which you have booted the OS, and started the app, and the app has found the stored keys, and the app has checked for updates from the network.
And talk about applying ridiculous amounts of computing power to solve a simple problem… Even my old phone has about 1.6 times the compute power and 16 times the memory of a Cray X-MP, the world’s fastest supercomputer from 1983-1985. Back to the Future came out in 1985, it didn’t occur to the writers to have the characters use a Cray X-MP to operate a bedroom door!
|Cray X-MP||713||64 MB||1982||1983–1985|
|Cray Y-MP||2144||512 MB||1988||1988–1989|
|Samsung Galaxy S II