3 Million Hacked Hotel Keycards – What Could Go Wrong?

The current trajectory of technological advancement points towards a world where everyday objects are increasingly digitized and connected to the cloud, under the guise of immense convenience. From adjusting your fridge temperature with a simple tap to setting your television to your favorite show before you arrive home with your phone, this future is alluring.

However, amidst these conveniences lies a flip side – security concerns. There’s something inherently problematic about this tech-savvy future, especially when it comes to security. Engineers, developers, and designers often fail to prioritize security from the outset, and accountability is lacking. The recent headline-making incident involving the compromise of Saflok’s hotel lock system, potentially exposing three million hotel room locks, for example, clearly highlights this issue.

Vulnerabilities in Hotel Lock Systems

Following the audacious MGM hack last year by the infamous “Star Fraud” gang, which caused a staggering $30 million in potential loss, the hospitality industry finds itself again grappling with security concerns. The recent breach of Saflok’s hotel lock system left as many as 3 million hotel locks susceptible to unauthorized access within seconds, impacting numerous hospitality chains that rely on this system. This sophisticated yet relatively simple hack involved exploiting RFID and encryption mechanisms using a spare keycard.

Fortunately, ethical security researchers unearthed this vulnerability. In doing so, they illuminated weaknesses in both Dormakaba’s encryption and the underlying RFID system they employ, known as MIFARE Classic. Through exploitation of these vulnerabilities, the hackers demonstrated the alarming ease and speed with which Saflok keycard locks can be bypassed. Their method entails acquiring any keycard from a target hotel—whether by booking a room or obtaining a used keycard—then extracting a specific code from that card using a $300 RFID read-write device. Subsequently, they craft two new keycards of their own which, when tapped on a lock, alter a specific piece of the lock’s data then enable the second card to open it.

The full extent of vulnerabilities in unnecessarily web-connected devices remains uncertain. Furthermore, the widespread awareness of how easily these lock systems, among others, can be compromised raises significant concerns. While we remain hopeful that life and property will stay secure until these lock vulnerabilities are addressed, the reality is that resolving interconnected device issues will demand heightened awareness, time, and extensive manual intervention. It’s imperative that swift action is taken to fortify the security of these systems to protect the safety and privacy of guests. They also serve as a warning for other, similar vulnerabilities that exist.

Pitfalls of Over-Digitalization and Neglecting Security

The hotel keycard situation highlights significant concerns related to the rampant over-digitalization present in today’s world, coupled with an excessive reliance on convenience. The escalating dependence on digital security measures, exemplified by keyless entry systems for cars and smart locks for homes, presents a formidable security threat. We find ourselves in a troubling pattern of prioritizing convenience at the expense of security. This trend is exacerbated by the lack of tangible consequences for product designers failing to incorporate security, and the tendency towards abundance often present in many first-world countries.

In the era dominated by physical keys, a perceived sense of security prevailed. Typically only one available copy of a key existed, and duplication required physical access. However, the evolution toward digital keys introduces new vulnerabilities. The prevalence of vehicle thefts, facilitated by the remote copying of entry systems without any physical interaction, underscores this vulnerability. Likewise, the proliferation of vehicle apps enabling remote tracking and control poses significant security risks. The crucial question arises: do the conveniences offered by digital systems outweigh the associated risks? It’s a pressing dilemma demanding our attention, as we continually navigate the trade-off between convenience and security.

A Key With Significant Impact

The Saflok hotel lock exposure and its lessons should not be downplayed; its ramifications are vast, affecting individuals, businesses, and the broader tech industry:

  • Hotels rely on guest trust to maintain their reputation and business
  • Guests expect safety, which is why locks are installed in the first place
  • Hotels may face lawsuits from affected guests or be compelled to implement costly security upgrades

The exposure also has significant implications for manufacturers of digital lock systems, challenging the reliability and security of their products and potentially leading to a loss of customer trust, reduced sales, and the need for substantial security enhancements.

Reevaluating Security in Digital Technologies

For the security community, this incident should serve as a clarion call, ringing loud and clear to highlight the inherent vulnerabilities in digital systems. Such occurrences instill a healthy dose of skepticism regarding the security of digital systems, spanning from smart home devices to critical infrastructure. It’s a stark reminder that even seemingly minor conveniences can pave the way for significant security vulnerabilities and hackers.

As we march forward, the primary aim of new technologies must be to ensure that convenience never comes at the expense of security and privacy. It’s imperative we embark on a thorough reevaluation of how security is integrated into digital technologies, even if it entails refraining from digitization altogether. The time has come to halt unsafe technological practices and forge a future where innovation and security are synonymous. Only then can we truly harness the potential of digital advancements while safeguarding the integrity of our systems and the privacy of our data.

Looking for support in securing your systems and data? Send us a request to get started.


This article was originally published in Forbes.

Impact of the IoT Trust Mark on Cybersecurity in the United States

New government-driven cybersecurity initiatives can be difficult to embrace. They tend to veer towards regulation, reporting, bureaucracy, and other constructs that add to IT operations requirements. By nature, they include an effort-driven adoption period that organizations must plan for and process.

The rapid proliferation of Internet of Things (IoT) devices has long been a critical cybersecurity topic, appearing at the forefront of technology ecosystem discussions. To address concerns surrounding IoT security, the US government recently introduced the long-awaited “Cyber Trust Mark.” This landmark initiative establishes a comprehensive labeling program that empowers consumers to make informed decisions about the security of their IoT devices.

The Need for IoT Security Labeling

The proliferation of interconnected devices, from smart home appliances to industrial machinery, has ushered in a new wave of convenience and efficiency. However, this proliferation has also exposed vulnerabilities that malicious actors can exploit. IoT devices, if not properly secured, can become entry points for cyberattacks, leading to data breaches, privacy violations, and even compromise of critical infrastructure. The US government’s launch of the Cyber Trust Mark recognizes these risks and signifies a pivotal step in addressing IoT security concerns directly.

The Cyber Trust Mark is poised to bolster consumer confidence in IoT devices by providing clear and standardized security information. Just as nutrition labels on food products offer valuable information to consumers, the Cyber Trust Mark is designed to offer information regarding a device’s security features, privacy controls, and data protection measures. This transparency is intended to help consumers make informed purchasing decisions, and opt for devices that align with their security preferences and needs.

Core Elements of the Cyber Trust Mark

With introduction of the Cyber Trust Mark, consumers will gain insight into the following elements of their IoT products:

  • Manufacturer Accountability: Information about the manufacturer’s commitment to cybersecurity, including their track record in responding to security incidents.
  • Device Security: Evaluation of the device’s security measures, including encryption protocols, secure boot processes, and the presence of regularly updated firmware.
  • Data Privacy: Privacy controls and data handling practices will come under scrutiny, with information about whether data is being collected, how it’s being used, and controls over sharing.
  • Vulnerability Management: Assessment of the manufacturer’s approach to identifying and addressing vulnerabilities, as well as their responsiveness to releasing security patches.

A Ripple Effect on the Industry

The introduction of the Cyber Trust Mark is likely to have a profound impact on the IoT industry as a whole. Manufacturers will be incentivized to enhance security practices, to both differentiate their products through strong security measures and build consumer trust. This initiative could catalyze a shift towards a security-first mindset within the industry, elevating the overall state of IoT security.

Many manufacturers will need to adapt to this new initiative, which will likely launch new missions to define and embrace cybersecurity, privacy, and responsible management. Another side benefit is that typical consumers will enjoy more exposure to cybersecurity measures and lexicon s as a matter of everyday consumption.

The Road Ahead

The introduction of the US IoT Trust Mark represents a significant step towards addressing the pressing cybersecurity concerns associated with the exponential growth of IoT devices. This initiative promises to empower consumers with essential information about device security, data privacy, and manufacturer accountability, guiding more informed choices. Moreover, it’s poised to foster a culture of heightened cybersecurity awareness within the IoT industry, encouraging manufacturers to prioritize security and build consumer trust. While ongoing vigilance remains vital, the Cyber Trust Mark serves as a positive beacon in our interconnected world, guiding us towards a more secure and resilient future within the IoT landscape.

This article was originally published in Forbes, please follow me on LinkedIn.

IoT Devices May Not Be the ‘Smart’ Choice

Tis the season to start hunting for the latest and greatest gifts, and smart technology is making just about anything, from homewares to exercise equipment, hot ticket tech toys. Are these smart devices on your shopping list this holiday? Buyer beware – there’s often not any consumer warnings about the cybersecurity risks these new IoT toys can bring. 

Ntirety CEO Emil Sayegh has done deep dives into the potential hazards of smart mirrors in his article Mirror, Mirror On The Wall and the very real consequences of IoT cyber-attacks in Peloton Breach Reveals a Coming IoT Data Winter both published in Forbes.  

Mirror, Mirror On The Wall and Peloton Breach Reveals a Coming IoT Data Winter 

Recently, attacks against Internet of Things (IoT) systems have emerged. With the technology in billions of everyday items, the scope of these attacks is worrisome. Because the migration to Internet-everything is unstoppable, we’ll be seeing these security incidents for a long time unless we adjust course quickly. 

The financial motive to add Web features to every device known to mankind is clear. It seems everyone wants to be on the Web, uploading data from their bicycles, sprinkler systems, refrigerator energy consumption, and just about everything you can possibly think of.  

Consumers accept risks, sometimes unknowingly, because many assume that the worst-case scenario will not happen to them or affect them significantly. 

The Peloton Breach 

That leads us to the breach of Peloton, the at-home connected fitness equipment company. A security researcher discovered an open unauthenticated API in Peloton bikes and treadmills, which revealed an open channel to information about users such as age, weight, gender, workout statistics, and birthdays. A significant amount of scrutiny has fallen on Peloton, which made a mess of remediation communications and deadlines. It appears that this is just the beginning of issues to come, as more items from the physical world come online, handling sensitive information that few people think about protecting until it is too late. 

In the wake of consumerized products from all walks of life, IoT systems and online accounts are under significant threat. It does not matter what the product is. An increasing number of smart camera platforms are being targeted by thieves. At risk are privacy, security, and the risk of fraud, and criminal gangs are exploiting the spoils of data to their merciless benefit. 

The Smart Mirror 

A recent story getting a lot of attention involves an interconnected “smart mirror.” With a price tag of $1,495, this mirror provides tips, suggestions, can set and keep progress on fitness goals, as well as delivering streaming workout classes. The company was picked up by the sportswear giant Lululemon for $500 million last year. Under the home exercise boom precipitated by the global pandemic, the product could be finding a mainstream groove. Reviews for the new product are trending well on the positive side and Lululemon appears to have a rare winning omnichannel marketing vehicle to pin onto their main product lines. 

Clothing and marketing retailers, like Lululemon, wield a fine history of supply chain, retail, and e-commerce experience, but a device with this kind of technology introduces challenging privacy and security concerns for the consumer and the company. 

Can IoT Be Slowed? Should It? 

Once upon a time, distributed alternating current electricity was the next new thing. Electricity, lighting, and motors were added to every item available at the time. Therefore, people no longer had to crank record players, grind coffee beans by hand, or shine shoes with a pile of rags. What it meant to consumers was that convenience and functionality were clear winners. With IoT, we’re seeing a parallel application of the Web to real-world things, but with additional variables of security and privacy concerns. Consumers seem to be unable to resist these features, and the ecosystem continues its stratospheric growth. 

What many consumers don’t seem to realize is that consumer products companies are in the business of selling the products they make. They are not in the business of securing our information. If history is any indication, they have failed at protecting personal information as their products connect to billions of endpoints in your kitchen, your garage, your bedroom, and every place you live your life. 

Considering factors such as the growth of the market, continual cybersecurity threats, and financial motivations driven by successful compromises, we can expect to see more information losses, even in places thought to be safe. Worse, threats once affected only digital things, but IoT drops the cyber realm directly in the middle of our physical world. Attacks against data can be attacks against critical systems, human beings, resources, and the world around us. 

Even the smallest bits of leaked data can be enough to compose purpose-built phishing attacks or be stacked into significant waves of fraud. Unfortunately, it will take an unknown event of significant scale or personal financial impact for users to collectively wise up and demand more security from the market. 

The Need for Strict Security and Privacy Standards

Proper use of privacy settings, privacy protocols, and comprehensive security tools are an absolute necessity. Companies must be held accountable when there are significant variances, misuse of data or violations of trust. Privacy regulations in Europe, California, and Texas have done their share to elevate the element of privacy to the forefront of discussion, but it may not be enough. Certain compliance measures also demand the ability for individuals to select their privacy settings of choice. 

Protection is Comprehensive 

Companies and individuals should embrace a security-first strategy that prevents unauthorized access by enabling a comprehensive security and compliance approach to technology implementations. Outlined by outside and organization-driven compliance, an organization can achieve compliant comprehensive security with the tooling of: 

  • Strong authentication 
  •  Strong privacy rules 
  •  Third-party monitoring and validation 
  • End-to-end encryption from the user device down to the database, application, and systems 
  • Roles-based access to data and systems 
  • Data classifications 

 This is a list that goes on and on, tracking highly to the mission, capabilities, and parameters of each organization that ventures into comprehensive security. 

Proactively Protect 

Don’t let these risks make you cross the latest smart devices off your wish list— work with experts to learn how to always be proactive when it comes to protecting your data. Practicing good cybersecurity hygiene isn’t just a priority for the holidays – schedule a Security Assessment any time of the year to strength your security posture (but don’t wait til it’s too late!)