Smart devices, often referred to as the Internet of Things, offer the hospitality industry the opportunity to give guests a much richer and differentiated experience.
Automated lighting, drapes and temperature settings provide the allure of luxury at any location in the world.
Although most hospitality providers will likely adopt similar technologies over the next few years, will those Internet‐connected devices be secure, or could they open the door to a hacker’s paradise and disrupt the experience, or even the security of your guests?
After all, who wants to stay at a hotel that’s been in the news due to security threats?
Recently, millions of electronic locks fitted to hotel doors were found vulnerable to hacking.
Researchers exploited the equipment’s software to create master keys that didn’t leave behind an activity log.
If a fish tank can be a door into a casino’s database, you can imagine what other creative ways a hacker might look to exploit connected devices on your network.
Dean Coclin
Worse still, these locks are being used by some of the largest hotel chains in the world, unbeknown to the guests who have just arrived in their rooms for a bit of solidarity and relaxation.
Many connected devices have been developed without security in mind. Most were even built without basic security principles like the ability to change default passwords, deploy secure updates and authenticate devices.
Seemingly innocent devices can offer an open door into more sensitive areas of your network, and maybe threaten the sanctity of your guests.
This begs the question: if it isn’t secure, should it be connected?
The consumer electronics industry has been rapidly multiplying the number of devices connected to the web. Meanwhile, malicious hackers are constantly discovering obscure vulnerabilities.
For example, a group recently exploited a vulnerability in a casino’s fish tank thermostat. Using this as a door into the network, they were able to extract sensitive information from the casino’s database.
Five ways to provide secure IoT experiences
1. Know all of your IoT devices
Mitigating the security risks of your connected devices starts with being aware of what devices are connecting to your network.
Once you take inventory of any current vulnerabilities, be sure that, going forward, you avoid first‐generation products and purchase only from established vendors that have a track record in the market.
2. Identify the uses and possible risks of each type of device
If a fish tank can be a door into a casino’s database, you can imagine what other creative ways a hacker might look to exploit connected devices on your network.
It’s up to you to decide the benefits of connecting a device to the Internet and what risk it could pose if it were hacked.
Subscribe to our newsletter below
Just one irritated guest or disgruntled employee happens with some tech savvy could take control if your smart thermostats, irrigation systems, door keys or something else.
These may seem like innocent devices, but, absent strong security policies to protect them from getting into the wrong hands, they can seriously harm your business.
Make sure you can secure them or consider not connecting these devices to the Internet.
3. Insist that your devices properly authenticate, encrypt data and assure data integrity
Do you know how your IT or security department protects data as it travels between the device and the network?
If you haven’t asked them this question, it would be a valuable exercise.
You might also ask how they’re ensuring that only trusted devices are connecting to the network in the first place, as well as how they’re verifying the integrity of the code sent during software updates.
4. Develop policies and procedures and ensure they are followed
Creating policies for IoT security is similar to a pilot’s procedures before and during a flight.
You wouldn’t fly an airplane until performing certain checks.
In the case of an emergency, you’d want a list to turn to in order to keep the plane in the air.
It's always wise to immediately change default passwords and regularly update the device firmware/software; this is like performing routine maintenance on an airplane.
If compromised, disconnect all devices from the network and notify authorities, but don’t power down your systems until authorities advise you to do so; this is like an in‐flight emergency checklist.
These are just a few examples of the policies you should have in place.
5. Talk to an expert about PKI and use a digital certificate‐based security system
Public Key Infrastructure (PKI) allows you to authenticate devices, encrypt communications, ensure data and device integrity, perform over‐the‐air software updates, and provide device non‐repudiation, among other things.
Deploying a proper PKI is no amateur task and talking to a third‐party expert with years of experiencing managing scalable PKI ecosystems is important.
Before you connect it, figure out how you’ll secure it.