Welcome

On behalf of The Hospitality Security Consulting Group (HSCG), welcome to our Blog. We created this site with the intent of sharing current and relevant life safety and security news specific to the hospitality industry. We will post news, Best Practices and important tips to assist you in protecting your guests and hotel operation. Please subscribe or bookmark this page as the content will updated frequently. Being informed is the first step to being prepared!

Operating from Reno, NV, we are a licensed (NV Security License #1591) security consulting practice providing risk assessment and suggested corrective measures to mitigate a wide variety of threats to your guests, personnel, facilities and systems.

For additional information, please visit our website at: www.thehscg.com or call us at: 1.800.880.4485

___________________________________________________________________________________________________

The opinions expressed in this blog and those providing comments are theirs alone and do not reflect the opinions or views of HSCG or our Managing Members. HSCG is not responsible for the accuracy of any information supplied.

The publishing or posting of any copyrighted materials on this site are used under the guidelines of “Fair Use” in accordance with USC Title 17 and 107. All content remains the copyright of the original holder and is used here for the purpose of education, comparison and criticism only. No infringement of copyright is intended. When available, full attribution is provided to the original author or information source.

Comments are encouraged, however, links to other websites or commercial endorsements are not permitted. All comments with embedded active links will be deleted.

___________________________________________________________________________________________________

Tuesday, January 8, 2013

Hotels Still Grappling With Guestroom Lock Issues

By Ed Watkins

Properties Face Potential Security, Financial, Service and Legal Risks

The lodging industry is in a crisis. Since July, when for unknown reasons a security researcher unveiled an easy and cheap way to gain access to hotel guestrooms equipped with certain electronic locks made by Onity, hotel owners and operators have been subject to a variety of security, financial, service and, above all, legal risks. Strangely, some hoteliers don’t seem to fully understand the gravity of the situation or how it can affect them, even if their hotels don’t have Onity locks.

“It’s like an airplane crash,” said an executive of another locking company during November’s International Hotel/Motel & Restaurant Show. “It doesn’t matter if it’s Delta or USAir, it’s not good for the industry.”

Since the problem with the Onity locks has so far only resulted in a few guestroom break-ins and thefts, media coverage has been minimal and mostly non-sensational. But that could change, notes hotel legal expert Stephen Barth.

“So far, only personal property has been stolen,” says Barth, who is a professor at the Conrad Hilton College of the University of Houston and president and founder of HospitalityLawyer.com. “We haven’t had an incident of bodily harm. God forbid, but if that ever happens, it becomes a much bigger issue in the media and for the hotel industry.”

Beyond that worse-case scenario, hoteliers must deal with other fall-out from the situation. Customers, especially corporate travel managers and group meeting planners, are becoming aware of the issue and may query hotels about their guestroom locks and other security precautions. Also, insurance carriers could raise rates or even deny coverage to hotels that don’t adequately address the problem. At the very least, the security practices of all hotels are now under the microscope. Even a seemingly minor incident has the potential to be blown out of proportion by the media.

The Situation

In late July, 24-year-old Cody Brocious, described as a researcher with software developer Mozilla, took the stage at the annual Black Hat Security Conference that’s a favorite of many computer hackers. During his presentation, Brocious revealed serious vulnerabilities with several models of Onity guestroom locking systems reportedly installed worldwide in 22,000 hotels and about four million guestrooms. Later on his website, he released a white paper with step-by-step instructions on how to build, using less than $50 worth of easily available components, a device to circumvent the security of the Onity locks. Another hacker upped the ante with a You Tube video outlining the process.

As Jim Stickley of Tracesecurity showed on NBC’s “Today Show,” the device can be disguised in a dry erase marker or an iPhone case. It plugs into the communications port on the bottom of the lock and instructs the lock to open without leaving any digital evidence.

“It is ridiculously easy to build,” says Stickley, whose firm does technology consulting but not for the hotel industry. “Even if you have zero experience with microchips, [the white paper and video] walk you through the procedure. Now, anybody on the planet who has a half-hour to kill and about $35 can build one of these devices.”

Brocious ratcheted up the pressure on Onity in November when he allegedly hacked the Onity server and posted the names and addresses of the hotels with the compromised locks. Brocious, who was approached multiple times to comment for this article, has since been silent. Despite several rumors regarding his motivations for the attack on Onity, Brocious has never indicated his reasoning and his ultimate goal.

In another odd twist to the story, two years ago—and before revealing it at the security conference—Brocious reportedly sold the details of the Onity security breach to Lockmasters Security Institute, a Kentucky-based organization that offers in-person training courses for security professionals and law enforcement. One of its offerings is a five-day course on electronic hotel locks. LSI wouldn’t comment, and Onity says it is “aware of [the organization] and its course offering on hotel locks but does not cooperate with them.”

Three Solutions

There are three approaches a hotel with the corrupted locks can take to rectify the situation. The foolproof, but least cost-effective way is to remove and replace the affected locks, which at up to $300 per lock makes little financial sense for many hotels.

Onity has offered two fixes to hotels with its locks. One is a plastic cap that fits over the communications port. Some security experts have criticized this so-called mechanical solution, which Onity offers free to its customers, both because it doesn’t address the root cause of the problem and it can be compromised. Also, placing a cap on the port slows down hotel personnel who legitimately need to access the lock to perform audit trails or for emergency entrance to guestrooms.

Another problem is the screws used to attach the caps. While Onity calls them “security screws,” Tom Daly of lodging security firm HSC Group says they’re “the laughingstock of the industry. A 12-year-old could defeat them with a screwdriver he could buy at Radio Shack. The physical fix is no fix.”

Onity’s alternative is a firmware change to the lock, a fix that’s not available on some models of locks. In a statement last month, the company says it has “deployed over two million solutions for locks to hotel properties,” without specifying how many of each fix it has implemented. It does say it will work to ensure all hotels in its database receive the mechanical solution.

The so-called technical solution involves upgrades or replacement of the locks’ circuitry, but Onity says this solution will vary depending on the age, model and deployment of locks at each hotel. Those installed before 2005, for example, may not be eligible for this fix.

In November, another possible fix emerged from security systems provider OpenWays, which markets a system that allows guests with cellphones and smartphones to use their mobile devices to check-in and access their guestroom doors. Building on that technology, OpenWays debuted LockFix as a simple and relatively inexpensive solution to the problem.

“One sure way to cure the problem is to cut the wire between the communication port [on the lock] and the motherboard,” says Pascal Metivier, founder and CEO of OpenWays. “By cutting the wires no one [including criminals with the hacking device] can leverage the communications port to open the lock. Of course, on the other hand, the hotel staff can no longer gain emergency access to rooms or conduct audit trails on the locks. It solves one problem but creates too many more.”

The LockFix answer is to insert a relay in the lock. In the normal position, the relay disconnects the communications port, preventing a hacker from opening the lock. But hotel personnel equipped with Android smartphones and a secure application can activate the relay using an encrypted acoustic sound that temporarily reauthorizes communications with the lock. The system is now standard with the OpenWays mobile system and the company offers a license for the technology at no charge. Hotels need to purchase and install the relay module (about $45 to $55 per lock).

“We see it as a foolproof method without having to do anything to the lock except put in the relay,” says Daly of HSC Group. “A hotelier is able do the fix and to keep the investment he’s made in the door lock.”

Industry Response

Not surprisingly, many hotel chains and companies are guarded in their public responses to the Onity issue. Concerned with liability and public perception issues, most chains have merely said they and their owners are working with Onity to rectify the situation. Hyatt’s public response is typical: “As soon as we became aware of the situation, hotels we manage with the affected model locks implemented various security measures to help mitigate the potential vulnerability. To maintain the integrity of these security measures, we cannot provide specific details about those steps.”

While the main concerns of hotels are guest safety and protection from liability, the situation has created additional fallout hotels need to address. For one, notes Dallas lawyer Steve Rudner, meeting planners are beginning to question hotels about their locks and other security procedures. Some planners are including queries about a hotel’s locking system in their RFPs. Others are asking for copies of hotels’ security plans. Both approaches are unnecessary and overkill, says Rudner, who represents hotels in their dealings with groups.

“Since the beginning of time, innkeepers have had a common law duty to take reasonable steps to maintain the security of guests, and the protection a meeting planner needs isn’t found in a new clause in an RFP,” he says. He advises his clients to remind meeting planners of a hotel’s duties as innkeepers and that they are taking all reasonable steps to protect the safety of guests and their property.

Insurance is another possible issue. Some carriers have taken note of the Onity situation and, says hotel insurance expert Kevin Eggleston, will be certain to make sure their hotel customers are responding appropriately. Failure to do so could result in higher premiums or in the extreme, inability to get coverage. Of particular concern to insurance carriers is the fact that the device used to hack Onity locks leaves no audit trail, which until now has been a strong defense for hotels fighting legal actions resulting from thefts or other crimes committed in hotel guestrooms.

“The greater, tragic concern is that someone gets raped or killed in a guestroom and you as hoteliers were aware of the problem but did nothing about it,” says Eggleston, senior vice president and national hospitality practice leader for Wells Fargo Insurance. “In that case, a plaintiff’s attorney will argue that you have an even higher degree of culpability.”

Steps To Take

Whether a hotel has an Onity lock system or not, now is a good time for all owners and operators to review their security protocols to ensure they’re providing the reasonable care demanded by law as well as giving customers peace of mind. Steve Barth of HospitalityLawyer.com and the University of Houston says there are a number of concrete steps hoteliers should be taking. “Remind guests to use safety latches in their rooms and regularly inspect those latches,” he says. “Enhance security walk-throughs of the building, limit access to the hotel except for one or two places and enhance closed-circuit TV systems and escalate the number of times you’re looking at the screens.”

The AH&LA provides hotel safety tips that properties can give to their guests. Other advice comes from Sequoia Insurance: Inform staff to look for suspicious-looking people carrying dry erase pens or iPhone cases and to make sure front desk agents can answer questions related to the hotel’s locking systems. And finally, Sequoia reminds hoteliers with Onity systems to track all repairs and associated costs in the event a legal remedy becomes available for recovering those costs.

Click here to view original article.
Posted by
Labels: , , , ,

1 comment:

All comments are submitted for moderation prior to posting.

Subscribe to: Post Comments (Atom)