AutoID & Data Capture Blog

Could RFID Lock Hack at US Hotel Chains Close the Door on NFC-enabled Security/Access Control Opportunity?

If you travel frequently, be warned: hackers have devised a way to bypass a particular type of electronic lock commonly found throughout leading hotel chains across the US. With a little spare time and about $50 in common tools and materials, criminals across the US have been building these devices to break into hotel rooms (supposedly) secured with electronic keycard locks. The resulting e-lock pick is about the size of a marker and can be used to crack Onity HT and Advance locks found in an estimated 4 to 5 million hotel rooms nationwide, including those at certain Hyatt, Ramada, Doubletree Hilton and Country Inn & Suites locations. Obviously, this is terrible publicity for all the brands associated with this security failure—but we also see it as an unfortunate setback for RFID, NFC and other electronic security/access control solutions as well.

To be clear, the lock models targeted by this security hack are RFID-based. As far as we know, no other electronic security technologies (e.g., NFC, magnetic stripe, biometrics) have been compromised by this attack. Unfortunately for non-RFID electronic lock vendors, that fact might be of little consequence—especially in the context of end users’ perception.

The market for electronic hotel locks is somewhat unique in the sense that there are really two categories of end users: the hotels and their customers. Barring a PR disaster such as this, an e-lock vendor must only convince the former of the security and reliability of its locks to be successful—hotel guests will assume the lock on their door will do what it is supposed to—until a story like Onity’s goes viral.

Now, not only will hotel operators be avoiding Onity products due to this new security threat, so too will nervous hotel guests. While this presents an immense problem for Onity, we also see it as a challenge for all electronic security/access control vendors. While a hotel IT or security director may be savvy enough to distinguish between different lock vendors and enabling technologies—including RFID, NFC, magnetic stripe and biometrics—the average hotel guest most likely is not. Therein lays the problem for e-lock companies.

From a hotel operators’ perspective, guests’ perceptions carry significant weight—because if a guest is not confident in the hotel’s security, they are probably going to stay elsewhere. Thus, if the public becomes highly weary of electronic locks in general—to the point that their presence negatively impacts a hotel’s bookings—we bet operators would be swift to revert to old-fashioned lock-and-key or other more secure alternatives.

While fallout from this incident is not likely to be that severe, we expect it will cause many hotel operators to evaluate more carefully the reliability and security their future e-lock investments truly deliver. Moreover, this incident underscores the need for increased vigilance when it comes to securing electronically-enabled devices, particularly those that are customer-facing and likely to be targets of criminal attacks. Consumer trust is highly difficult to earn but can be lost instantly.