Guest-facing apps are one of the most visible and high-profile rising trends in the hospitality sector. Guest-facing applications enable the guest to access a variety of hotel information, services, in-room dining and also to control the room environment, such as lights, AC controls or the TV.
NB: This is a perspective by Florian Kriechbaumer, Product Development Director, iRiS Software Systems.
By now there is little doubt about the fact this concept will become a de facto standard in the industry. Indeed by 2020, 95% of guests believe hotels ‘will increasingly look to new technologies to drastically increase efficiency, reduce costs, and improve service’ (Fast Future).
The security concern: Unauthorized access and control
However, a recent incident in a hotel in China has sparked concerns about the implementation of such applications from an IT security perspective.
During the incident, a hacker was able to control lights, curtains and AC in other rooms from his computer by intercepting the traffic from the tablet to the room control server. The attacker was able to read, modify and repeat the commands to his liking. By revealing the ability to take control of room functions via a guest app, the hacker demonstrated one of the potential security vulnerabilities in this space.
And while it's not always mission-critical, having a third-party takeover of one's room is a creepy and invasive experience that no hotel brand wants its guests to experience. Destruction of trust and safety are very real threats to brand integrity.
When securing guest-facing apps from potential breaches, there are five primary concerns from an infrastructure perspective that need to be taken into account to prevent such scenarios.
#1: Room-paired tablets or BYOD?
Initially, IT Managers should consider the two common deployment scenarios of such applications: a tablet in the room, owned and managed by the hotel, or a downloadable application accessible on the guests’ own devices (BYOD).
Guest engagement on room-paired devices is typically higher, whereas BYOD lowers cost and allows guests to use the application outside the hotel or prior to and after their stay.
#2: Data flow
In both scenarios, it is important to consider the connection of the applications to the hotel’s internal systems, such as the Property Management System, Point of Sale or Room Control devices.
How do these devices connect to the hotel’s backend server where content and other functionality of the application is managed and processed?
For a tablet that is paired to the room, best practice includes using a dedicated, hidden, and password-protected SSID to connect to the network via WiFi, contained to a trusted VLAN zone and separate from the guest network. This will ensure traffic, and hence an intruder cannot intercept data and commands.
BYOD apps brings additional complexity here as the devices connect to the backend server using the public WiFi or 3G, rather than a network that can be controlled by the hotel. Here, additional measures to authenticate devices should be put in place, for example a guest can only control the lights if they have entered a PIN number that is shown on the TV and reset for every guest on check out.
#3: Secure communication
IT Managers should ensure that their application vendors encrypt any traffic from the tablet to the backend server using SSL, which, should an intrusion occur, will not allow anyone with malicious intent to understand the commands being sent and repeat them for other rooms, for instance.
#4: Cloud or on-property server?
IT Managers should keep in mind that typically the cloud based deployments come with a number of benefits in terms of maintenance and support. Nevertheless there are scenarios where local servers might be preferable, such as in geographic locations with poor Internet.
#5: Third party systems
It is also good practice for any connection from the application on the device to a third party system in your hotel to run via a central backend server, rather than allowing each device to directly connect to your business critical systems independently.
This will ensure that a connection to the PMS for example can be easily secured, as it will be limited to one single line of communication between the PMS interface machine and the server running the backend services, to which the application connects to in order to receive data. Such a connection can be protected via VPN, IP-based restrictions and by using vendors who inherently secure their interface APIs via appropriate authentication methods.
What's next?
In summary, practitioners looking after the implementation of an application for their hotel need to ensure that the chosen provider can supply appropriate data flow documentation that covers the above points. In addition, they should be able to illustrate their approach to security of the communication between tablet, application server and third party systems.
Given the issues that have surfaced, this due diligence is essential when considering a vendor. Putting this into practice, a detailed RFI process involving all appropriate stakeholders of the property is essential and can ease the process of acquiring the information from vendors and subsequently drawing comparisons between shortlisted application providers.