When was the last time you used an actual key to unlock the door to your hotel room? It's been a long time. Computerized key card systems took over ages ago. They're mostly a tremendous convenience, both for guests and hoteliers -- that is, until someone hacks into the system that control the locks.
This just happened to a 111-year-old hotel in Austria. Management at the Romantik Seehotel Jaegerwirt told reporters that this was the third time they had been targeted by hackers. Once they had breached the key card system, guests were unable to enter their rooms and the front desk couldn't reprogram cards.
The hackers demanded that the hotel fork over €1500 (a little over $1,600, and payable in Bitcoin, naturally). Pay up, and control of the key card system and room locks would be returned. Everything would go back to normal.
With a full house of 180 guests, management felt as though they didn't have time to find an alternative solution. They paid the ransom, knowing that doing so put them in a precarious position. Once attackers know a victim will pay, why wouldn't they circle back? That's exactly what the criminals who breached the Seehotel Jaegerwirt had in mind. Investigators discovered that they had left a backdoor into the hotel's systems, and they tried to exploit it almost immediately.
Fortunately, the hotel had already brought in experts to help bolster their defenses. Compromised systems were replaced with new, fully-patched ones. Critical systems were isolated from other parts of the hotel network.
They also decided to battle these new, high-tech threats with a very old school system: they're putting keyed locks back on every guest room door the next time they renovate. "Just like 111 years ago at the time of our great-grandfathers," said managing director Christoph Brandstaetter.
Update: Brandstaetter has offered a clarification on the incident to Bleeping Computer. "We simply could not issue new keycards because the computers were encrypted," he said. " He added "we were hacked, but nobody was locked in or out," contrary to the original Local.at report and a correction offered to the site later.
Preventing Attacks On Critical Systems
The Seehotel Jagerwirt said they "decoupled" systems to prevent future attacks. That's a strategy many organizations are adopting to secure their systems.
Tim Eades is the CEO of vArmour, a Bay-Area security firm that specializes in something called micro-segmentation. In micro-segmentation, every system on the network is treated as a potential threat. None is given complete trust. Instead, systems are only granted access to the specific resources they need in order to perform their functions. That makes it easier to lock things down when a breach is detected, which minimizes damage and helps keep service interruptions to a minimum.
It wasn't long ago, Eades noted, that a hotel's biggest worry was vandalism. Then, a few years ago, cybercriminals started coming after their customers' payment card data. Now, they're looking to capitalize by compromising safety.
As hotel system become more connected -- in the name of catering to more tech-savvy guests -- the risk of similar incidents taking place will only increase.
