Financial Fitness


How secure is your hotel's mobile room key?

Posted at 12:10 PM, Jan 08, 2018

By the time you get to your hotel, you’ve waited at the airport, on the plane and in transit. Checking into your room may also mean a wait — but not if your hotel offers mobile check-in and a digital room key.

Some hotels offer these features through their mobile apps, allowing guests to bypass the front desk and head straight to their room without the wait. The room door opens with the mobile key when the phone touches the lock on the door.

Mobile keys are convenient time-savers, but as a new technology, they may not be without vulnerabilities. The security of the mobile key feature depends on the measures that hotels or mobile key providers have in place to protect their electronic key system.

How and where mobile keys work

The functionality of the mobile key feature varies by provider and hotel. Generally, your phone’s Bluetooth setting needs to be on for keys to work. These electronic keys may also provide access to other areas on the property, such as the fitness center, lounge, elevator or parking garage. You may also be able to perform other tasks like taking a call while using the key.

The mobile key feature has become available on more mobile devices at a growing list of hotel properties:

  • Marriott and SPG hotels offer it at over 400 properties
  • Hilton offers its digital key at over 1,000 properties
  • Intercontinental Hotels and Resorts is piloting the feature
  • Radisson RED, a lifestyle hotel brand, offers the mobile key option at three properties

Other hotels have the option of offering the feature through providers like OpenKey that offer mobile app software for hotels.

How safe are mobile keys?

The FBI says it has not seen any cases of compromised hotel mobile key systems in the U.S., but hotel hacks are not unheard of. Last year, the Romantik Seehotel Jagerwirt hotel in Austria made headlines when hackers targeted its electronic key system, locking the hotel out of its computer system and preventing management from accessing the reservation system. The hotel was using swipeable key cards at the time. New guests couldn’t use their cards, and receptionists couldn’t create new keys for them.

Hackers reportedly emailed a ransom request to the hotel demanding two bitcoins in order to return management’s access to the electronic key system. Hotel manager Christoph Brandstatter says the ransom was paid and the hotel has since returned to traditional keys.

This “ransomware” tactic has been moving toward system-connected devices like locks in recent years, according to Michel Chamberland, North America practice lead of SpiderLabs at Trustwave, a security company that protects businesses from cybercrimes. Chamberland is a so-called “ethical hacker”; with his team, he hacks hotel clients’ mobile keys and locks to locate vulnerabilities before hackers do.

“On one of the locks we looked at, we were able to reset the administrative password without being authorized to do so,” Chamberland says. “We were able to manage the whole environment.” And new vulnerabilities are introduced with updates to mobile apps, he adds.

Nearly all digital locks in the hotel space have encryption that mirrors financial institutional security, according to TJ Person, founder and CEO of mobile key provider OpenKey. The company has a cloud security company monitoring its servers around the clock to help find and correct vulnerabilities.

Ted Harrington, executive partner at Maryland-based security firm Independent Security Evaluators, recommends that manufacturers of these solutions perform security assessments of their systems at the same level that an attacker would.

“There is a misperception that encryption alone delivers security, and that is fundamentally untrue,” Harrington says. He suggests thinking of encryption as the lock on your house. If the front window of your house is open, an attacker won’t bother breaking the lock on the door; he’ll get in through the window.

Are mobile keys safer than plastic key cards?

A traditional key card generally remains an option for guests who prefer it — but it’s not necessarily a safer option than a mobile key. Some magnetic key cards can be cloned wirelessly and read using antennas, according to Chamberland. And, of course, physical theft is a risk, particularly if hotel guests keep their key card and room number together for convenience (all the information thieves need to get access to a room).

Sure, smartphones can be stolen, too, but setting a phone lock and requiring a separate login for the mobile key app can provide some additional protection that doesn’t come with key cards.

“I think people should be excited about using mobile key, but they should be cognizant that there are security implications,” Harrington says. “Be an informed consumer. Read the news where you can, understand what’s going on in the security world and proceed cautiously.”

More From NerdWallet