Feeds

back to article Bonk to enter: Starwood Hotels testing keyless check-in via mobe

Today you can place calls with your smartphone, you can take photos with it, and you can make payments with it. And if a new pilot program being launched by Starwood Hotels & Resorts pans out, one day you may even be able to use it to open your hotel room door. Two locations of Starwood's boutique Aloft hotel chain will soon …

COMMENTS

This topic is closed for new posts.

How secure is it?

If it can be opened legally by a person with the authority to open the door, then it can be opened illegally by anyone able to hack the WiFi signal to the door lock, forge an authorization token for the room, and be inside looting all your stuff without ever triggering security.

At least with a physical room key they either have to steal the key, duplicate the key, or get their hands on a master key to gain entry.

With a Key Card entry system, they've got to obtain a card, a reader to program the card, & hope it works when they approach the door (else they'll slam headlong into the door when it refuses to open due to a wrong code, which also notifies Security).

Sure it's convenient, but how are they going to secure it against some schmuck using WireShark to sniff the transmitted packets, breaking the "encryption" of "password12345", and using that data to gain entry to every room in the place?

3
1
Silver badge

Re: How secure is it?

You mean hack the bluetooth, since it uses that rather than wifi? Presumably it uses some sort of challenge/response system, which would make it much more secure than the current mag stripe card based "key" most hotels use that have a simple code written on the mag stripe. Hopefully those use more than a simple 4 digit PIN but I wouldn't be terribly surprised if that's all it was, since it would still make a "try every combination" attack impractical.

Blank cards are essentially free and the equipment required to read/write the stripe is under $100, so I don't know why you pretend there's currently a high bar to gaining access to someone else's hotel room.

0
0
Silver badge

Re: How secure is it?

But to copy a swipe key, you need to get the thing in your hands.

The mag swipe thing is surely a huge step up from the previous mechanical technology which could be copied with a $2 file. With mechanical keys a lost key is a huge issue because changing the lock takes a long time and $$$. Swipe keys can be changed in minutes for cents.

Assuming the challenge/response isn't Lock:"1234", phone:"5678", RF keys should be a step up in security from that.

0
0
Bronze badge

Re: How secure is it?

Actually, with mechanical keys, hotels never switched out locks, and it was simply not possible to track "lost" keys. My first job out of high school was as a bellman for a 250 rm. Holiday Inn. One of my misc. duties during slow periods was to go cut new keys for rooms that our inventory was low on. The ultimate goal was to have six keys for every room at the front desk, and another ten down in the key room. Each month hundreds of keys would never be returned by customers and the only time a lock was replaced was if it physically stopped working.

Getting a swipe key (mag. strip) is not too difficult, people leave them laying around hotels all the time, especially pool areas and vending machines. If you have the capability to read and write them, most need nothing more than to update the time stamp in the data to access the original room the key was made for. The keys mostly function using nothing more than a room number and time stamp. The door lock holds the most recent time stamp used in memory and no key with an older stamp is allowed entry.

0
0
Silver badge

Re: How secure is it?

And you haven't even mentioned the total lack of control in the process for writing new magnetic keys, issuing to customers, or dealing with room changes (and even avoiding double bookings). I've been issued with key cards for a room that the hotel have already given to somebody, where they've gone to the room, used their keys, are in residence, and are then very surprised when we walked in, using our key. In trying to sort this out, the hotel managed to invalidate their keys, book us into a new room which the keys they gave us didn't work, but the people we'd walked in on, their keys now worked for our room. A shambles (hello, Marriott), which proved that magnetic keys provide very little security even before criminals get involved.

0
0

oh dear

Expect a blackhat presentation on this in 12 - 18 months.

0
0
Bronze badge

Skeptical, but interested.

Definite potential for people traveling alone, but it will be interesting to see how it's adapted to handle groups and families. One potential issue I see is with fraud. Way too easy to change identification information on the device, and check in using stolen/unauthorized credit cards.

I work in the hotel industry, so I am very interested to see how this works out.

0
0

Bonk to enter and...

...enter to bonk.

1
0

As a frequent traveler...

I see limited appeal in bypassing the front desk. If I go to the desk, I can ask if there is a room upgrade available that wasn't already given to me, talk to a person about hotel amenities if I haven't been there before, etc. I'm sure there will be times when I will enjoy being able to just get to my room and not interact with someone (one night layovers in hotels near airports come to mind), but generally I prefer interacting with the front desk, even if that results in me waiting in line to check in.

On the other hand, I like the idea of not having to carry an extra card in my wallet three days out of the week. Being able to open the door using my SPG app on my phone will be nice, provided I can sync it to allow access to others when I'm traveling with friends or family.

0
0
This topic is closed for new posts.