Pay Up or Locked Out: Ransomware Targeting Hospitality Industry

Reading time: 7 min
Share this Share on email Share on twitter Share on linkedin Share on facebook

It turns out that story about guests being locked out of, and locked into, their hotel rooms in a four-star hotel in Austria aren’t exactly accurate. According to this story in The Verge, Don’t believe the story about hackers locking guests in their rooms at a luxury hotel while what happened is still very interesting, and of concern to any traveler, what was reported wasn’t entirely accurate.

According to the Verge’s interview with hotel management, while the hotel did endure an attack, guests were not locked in their rooms until a ransom was paid as was reported:

It’s a juicy story, but not entirely correct. Speaking to The Verge, Christoph Brandstätter, the hotel’s managing director, confirmed that not only were guests not locked in their rooms, the rooms were not remotely locked at all. “We were a little bit surprised about that press really because nobody was locked in their room,” said Brandstätter. “We had a cyber attack but the only problem was that we could not program keycards for the guests checking in on the same day.” He added: “The keycards and the computers were affected, but the doors were not.”

What did happen, according to Brandstätter’s comments to The Verge, while hackers did breach and encrypt their systems to demand ransom much of the rest w’as incorrect. The hotel was temporarily unable to issue new electronic keycards to guests, and guests who left there rooms were not able to re-enter.  Brandstätter confirms that hackers did indeed compromise the hotel’s computers, encrypting their data to stop access. The company that handles the hotel’s IT systems then had to pay a ransom in Bitcoin to get them back. And it is the fourth time the hotel has been targeted like this. The only reason the news came out this time round is because Brandstätter decided to issue a press release to raise awareness in the industry. 

“We’ve seen that many, many Austrian hotels have been hacked. And then we decided to make a press release for other hotels to be aware,” Brandstätter told The Verge. “The police told us: ‘You’re in good company.’”

Good company indeed. According to insurer Beasley’s Beasley Breach Insights report Ransomware attacks set to quadruple in 2016 [.pdf], projecting trends from the first nine months of 2016, where it saw more than 150 ransomware attacks and expected another 50 in the fourth quarter of 2016, compared to just under 50 such attacks in all of 2015. The trend was particularly pronounced in the financial services, retail, and hospitality sectors.

The Australian hotel had enough of the successful attacks and decided to revert back to old fashioned analogue door locks for its hotel.

Hotel electronic keycards have been the focus of security researchers and malicious attackers and thieves for some time. Researchers in 2012 demonstrated at the Black Hat security conference that such locks could be easily picked. This is from ComputerWorld’s story Black Hat: Hotel keycard lock picking in less time than it takes to blink:

Tuesday night at the Black Hat security conference, Cody Brocious, a Mozilla software developer, presented My Arduino can beat up your hotel room lock. “I plug it in, power it up, and the lock opens,” Brocious said. Onity locks have a DC power port under the keycard lock, so Brocious plugged his Arduino microcontroller into that port and was able to read the 32-bit key stored in the lock’s memory location. There’s no easy fix either, short of Onity physically changing every single lock as the lock is insecure by design.

Just months later a series of thefts in hotel rooms mirrored this, until then, theoretical attacks, as was covered in this Forbes story Security Flaw In Common Keycard Locks Exploited In String Of Hotel Room Break-Ins. The break-ins remained a mystery for a number of days, until a forensic investigation solved the matter:

Two days after the break-in, a letter from hotel management confirmed the answer: The room’s lock hadn’t been picked, and hadn’t been opened with any key. Instead, it had been hacked with a digital tool that effortlessly triggered its opening mechanism in seconds. The burglary, one of a string of similar thefts that hit the Hyatt in September, was a real-world case of a theoretical intrusion technique researchers had warned about months earlier—one that may still be effective on hundreds of thousands or millions of locks protecting hotel rooms around the world.

While the attack from 2012 doesn’t exactly mirror the ransomware attacks of last week, it is certainly too close for comfort. And it confirms to me that while in your room it is always a good idea to flip the physical lock.