You can check out any time you like, but you can never leave—at least not if you want to retrieve your belongings from your room first. No, not the Hotel California, but the Romantik Seehotel Jägerwirt, a luxury hotel on the shores of Austria’s Lake Turracher See. Although the hotel is more than a hundred years old, it used a state-of-the-art electronic key card system for room entry, unfortunately not so state-of-the-art that hackers couldn’t access it. After cybercriminals shut down the hotel’s computer systems locking guests out of their rooms, hotel management was forced to pay a “ransom” of 1,500 Euros in Bitcoin so that they could get back in. The money, around $1,800, may not sound like much but according to Christoph Brandstaetter, managing director, this was the third successful hack in less than a year. Brandstaetter says, “We had no other choice. Neither police nor insurance help you in this case.”
Hotel hacking is not a new phenomenon. In 2015, the point-of-service systems at Starwood Hotels and Resorts, Hilton, and Hyatt were all victims of hackers, but even as organizations sure up their credit card systems, hackers are finding new ways to extract money from the industry.
Nicholas Percoco, chief information and security officer at tech company Uptake, says, “Traditionally, the attacks would attempt to get in, steal the data, and leave with no one noticing. The shift to ransomware means that the criminals are looking to be noticed, cause disruption to the business, and get paid for reversing the problem they caused."
Whereas stealing and selling credit card numbers is a lucrative cybercrime, it requires buyers for the information and can sometimes be tracked. Holding room entry systems for ransom ensures a fast payment by hotel managers desperate to let guests back into their rooms, and Bitcoin payments are almost impossible to track.
Bruce Schneier, chief technology officer of Resilient and a board member of the Electronic Frontier Foundation, noted on his blog, Schneier on Security, that this type of ransomware attack will become more common in the future, and because almost everything is networked, everything is vulnerable, including cars and home thermostats. He told MeetingsNet, “Ransomware attacks the most insecure of networks. Protecting yourself from this kind of attack takes nothing more than practicing good network security.”
In Austria, the hotel management chose to go public with news of the hacks because they knew that other hotels were being similarly targeted and decided to speak out about the blackmail. The cost of paying the blackmailers is significantly less than making repairs should the hotel attempt to break down room doors, but each time management spent thousands of Euros attempting to upgrade the system to stop the hackers from getting back in.
Percoco says, “The vast majority of hotel data breaches are the result of weak passwords and missing patches. Also, many hotels make the fatal flaw of using one computer system across hotel management, room access, and even front desk Web browsing. This is very problematic. A commitment to security requires education and an investment in the proper maintenance of systems to mitigate future attacks.”
You could say the guests at the Romantik Seehotel Jägerwirt, like the Hotel California, were, “all just prisoners there of the (key card) device,” but after the latest attack, management decided to change tactics. Brandstaetter says the hotel is dropping the key card system altogether and going back to the old fashioned lock and key—good luck hacking that.