At least one app for the Apple Watch will allow the wearer to unlock a hotel room with the wave of a wrist. But using mobile devices to provide keyless entry to hotel rooms isn't a novel concept -- and could come with added security risks.
It's easy to see the attraction of mobile devices as hotel keys: It's one less thing guests need to carry around with them on their travels, and magnetic stripe cards are notoriously fickle when placed next to credit cards or mobile phones. But as more automation enters the hotel ecosystem, more security challenges seem to follow.
At Black Hat USA in August, security researcher Jesus Molina detailed how he was able to take over nearly every bit of technology from the thermostat to window blinds in his room at a luxury hotel in China -- and the other 250-plus guest rooms -- all from an iPad.
However, Molina's digital power didn't extend to the room locks, which were operated by a separate system. Hotel locks, he told me when Hilton announced their intent to use smartphones to unlock rooms, have traditionally relied on cloaked security. "You don't know what's in things like keycards or RFIDs," he explained. The moving parts are shrouded, in theory making them harder to crack, a sort of security through obscurity that can hide flaws both from bad guys and researchers wanting to test the efficacy of systems.
But moving systems to a smartphone or other mobile device that has built-in computing power that could be used to run algorithms to break that security could "open up a big can of worms," he said. Although he assumes Hilton and other companies considering this move have taken "great care" to reduce risk, he still worries that the additional attack surface and communication abilities of mobile devices might make them more difficult to secure.
Hotel chains seem confident in their ability to secure the systems. Asked about their security practices at the time of the company's smartphone announcement, Hilton said all of their proprietary systems undergo "rigorous testing and validation" -- and that their internal scrutiny would be supplemented with "certification by external security experts" before being deployed.