A recent article by Fortune.com covered the security risks of using IP-based and other online security systems. Last month, hackers infiltrated the smart locks used by the Seehotel Jägerwirt hotel in Austria. The hackers locked guests out of their rooms and disabled the hotel admins from using the system. This attack came at the peak of the skiing season and the hotel was fully booked. The hackers demanded a ransom to be paid in 1500 Euros worth of Bitcoin before eventually giving up control of the smart locks.
This wasn’t the first time this hotel has been compromised, and it likely won’t be the last, even if they change to a different smart lock. A Techcrunch.com article covering the Def Con hacking conference found that approximately 75% of smart locks have poor cyber security measures and are easily defeated. Thanks to Austrian fire codes, none of the guests were locked into their rooms or the hotel; the fire code mandated manual locks as backups in case of such an event. Despite the fact that nobody was in harm’s way this time, the danger is still incredibly real. In this instance, guests were locked out, separated from their belongings. This is a huge inconvenience and a financial issue for the hotel, but nobody was hurt. They very easily could have been.
The hackers had total control over the system that supported these locks. Suppose the hackers wanted to gain entry to the rooms instead of prevent it. It’s the same principal in terms of the security flaws. A hacker could disable every lock in the hotel while someone else entered the rooms as the guests slept. This scenario is far more deadly than a small ransom to let the guests back into their rooms.
We often get questions from our clients about controlling their doors with an app and the answer is always the same: no. We consider the risks of internet-based security/access control systems to be unacceptably high, which is why none of our door or locks are online. Anything connected to the internet can be hacked with relative ease, especially compared to what it would take to physically defeat our doors.
The IP connected security system used by Seehotel Jägerwirt wound up being such a hassle that the hotel will be returning to traditional locks on all their doors. Their experience with smart locks has been a costly mistake and valuable lesson that smart locks are not necessarily safe locks.