Over the weekend, a story spread widely across social media claiming that hackers had held a hotel to ransom, after locking guests in their rooms:
One of Europe’s top hotels has admitted they had to pay thousands in Bitcoin ransom to cybercriminals who managed to hack their electronic key system, locking hundreds of guests in or out of their rooms until the money was paid.
Furious hotel managers at the Romantik Seehotel Jaegerwirt, a luxurious 4-star hotel with a beautiful lakeside setting on the Alpine Turracher Hoehe Pass in Austria, said they decided to go public with what happened to warn others of the dangers of cybercrime.
As soon as I heard the story I was suspicious.
Why would a hotel announce that they had failed so spectacularly at securing their systems, and inconvenienced hundreds of their guests? Where were the quotes from aggrieved hotel guests who were locked in their rooms? Where were the social media posts and YouTube videos of guests unable to leave their hotel rooms? Why are there no grumblings on TripAdvisor or on the hotel’s Facebook page?
It just didn’t make any sense.
Think a little deeper, and it makes even less sense.
What hotel do you know where you have to use an electronic lock to *leave* a hotel room? In your hotel room you have a manual door latch for good reason, and don’t need to find your room card to get out. Think about it, if there’s an emergency such as a fire you don’t want to be desperately trying to find your key card.
A quick trawl through the Seehotel Jaegerwirt’s website finds some standard-looking door handles on the inside of their rooms, which must be pleasing to the local fire department.
So, my conclusion is that the suggestion that guests were locked in their rooms is clearly cobblers.
Might hotel guests have been locked out of their rooms (as opposed to inside their rooms)? I think that’s unlikely.
Watch what happens when you check in at a hotel. In my experience what usually happens is this. The receptionist takes a key card, slides it into a gizmo, and programs its magnetic strip with a code which represents your room number (and potentially your check out date).
Your room’s key card lock compares the room code on the key card with one stored locally within the lock. It could check with a central computer, but that would inevitably require a lot more wiring and complexity – something you probably wouldn’t expect in a family-run hotel built over 100 years ago.
Let’s read some more:
And they said they wanted to see more done to tackle cybercriminals as this sort of activity is set to get worse. The hotel has a modern IT system which includes key cards for hotel doors, like many other hotels in the industry.
Hotel management said that they have now been hit three times by cybercriminals who this time managed to take down the entire key system. The guests could no longer get in or out of the hotel rooms and new key cards could not be programmed.
So, according to the report the hotel decided to go public to “warn others of the dangers of cybercrime” *and* admitted that they have now been hit by hackers on three occasions.
If the story is true, it’s certainly surprisingly altruistic behaviour that the hotel is displaying. After all, if they have been “hit three times by cybercriminals” I wouldn’t necessarily be hurrying to book a vacation and entrusting my credit card details with them. Clearly their grasp on computer security is as shaky as my performance on the ski slopes.
Of course, I applaud firms who go public about being victims of cybercrime, but I know only too well that many prefer to brush the story under the carpet unless they feel compelled by legislation to share details – most commonly if the personal or financial details of members of the public have been put at risk.
So, in conclusion…
Was the Romantik Seehotel Jaegerwirt hotel hit by ransomware?
I don’t know. I guess it’s possible they were.
Bleeping Computer quotes the hotel’s manager, giving a more believable description of what may have occurred:
“We were hacked, but nobody was locked in or out,” said the hotel’s Managing Director Christopher Brandstaetter. “For one day we were not able to make new keycards.”
“Since the locking system must work even in the event of power failure, the guests in the hotel almost did not notice the incident,” the manager also added. “We simply could not issue new keycards because the computers were encrypted.”
That sounds plausible to me. But not something that really warrants the widespread media coverage.
Were hotel guests locked in their rooms?
That sounds like utter balderdash. Although I wouldn’t be surprised to hear computer security firms trotting the dubious anecdote out as evidence of the danger posed by ransomware for years to come.
For further discussion of this topic, be sure to listen to this episode of the “Smashing Security” podcast:
Smashing Security #006: 'A romantic ransomware hotel break'
Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...
I agree with your conclusions, but it seems to me you must be wrong about the unlocking code being stored 'locally within the lock'. An important security feature is that if you lose your keycard, the receptionist can cancel its validity, otherwise if it was found by a crook they'd have access to your room. Surely all locks *have* to be connected to a central database of some sort?
It's a common misunderstanding to think that there is some complex door database system. Door locks do not have to be wired to a data base. Here is a good explanation of how it works by one hotel manager:
The only thing on the card key is a rotating code and a serial code of some sort to distinguish one key from another (i.e. two master keys will have the same key code but different serial codes.) When you check in, the clerk puts the key in an encoding machine that records onto it the next sequential code for the lock on your room. When you first enter your room the lock recognizes that the next sequential code is being used and instantly invalidates the previous key. That explains why if you get a second key later for someone else, it often messes up your key – the clerk coded a new key rather than a duplicate. The sequence change means that the previous guest can no longer get into the room.
Probably what Bleeping Computer reported is more accurate. Many people and media love to play up the fear with any story with "cyber" in the title.
How can they have been hacked many times and still do not have an instant backup available and be back in business quickly??