In a story that circulated worldwide last week, it was reported that a hotel in Austria, the Seehotel Jaegerwirt, had been attacked by hackers who disabled the guestroom cardkey system, locking guests in their rooms until the hotel paid a Bitcoin ransom. That’s not exactly accurate, but enough of it is true to merit some serious discussion.
According to published reports correcting the initial misinformation, hackers did take control of the cardkey system, but only to the extent that the encoding of new key cards was disabled for guests in the process of checking in. Doors were never immobilized and guests were never trapped. Nevertheless, a ransom was indeed paid in Bitcoin currency by the hotel to have its systems and data released. And it’s apparently not the first time. The bottom line is that the hotel reportedly is planning a return to good, old-fashioned metal keys.
Think devious, think scheming, think cunning, because the people writing malware are doing exactly that, and they’re doing it better than you.
This situation probably has little to do with any of the three big makers of hospitality cardkey systems, Onity, OpenKey, and Salto Systems. It’s likely more about the bad guys being invited in on a red carpet right through a hotel’s front door. We’ve all heard the stories before — clicking on an innocent-looking link in an email message, inserting into a USB port a flash drive that contains malware, network hardware configured with default passwords, unprotected ports, and so on. One thing is for sure: We’re not far from IoT becoming an acronym for the “Internet of Thugs.”
Of course, there’s a cloud and mobile application development angle to this. We’re well beyond magstripe key cards or ones with embedded RFID tags. Indeed, the newest advancement in room-access technology is the complete elimination of the card. An app on your smartphone that uses proximity Bluetooth to communicate with the door lock is very much a reality and being installed in hotels worldwide. It’s yet another inevitable use of cloud and mobile computing technology.
While the vulnerability in this particular case may lie more in the area of network infrastructure management, it’s no less important for anyone cranking out lines of code to always keep security top of mind. It’s useful to approach any coding project with profound skepticism about its security and potential vulnerabilities. Think devious, think scheming, think cunning, because the people writing malware are doing exactly that, and they’re doing it better than you.
Consider this: According to a Dec. 2016 blog post by Amol Sarwate, director of vulnerability labs at security firm Qualys, Microsoft issued 155 security bulletins for the year, up 15% from 2015. Over the lifetime of Windows 7, it added up to many hundreds of security patches being issued. If a smart company like Microsoft (or Apple, or Adobe, or Android, or Oracle, any other company) can’t build software that’s secure, how in the world can you?
What glaring vulnerabilities were overlooked in the design of software that you coded? How were these vulnerabilities corrected and users notified? Share your horror stories; we’d like to hear from you.