How to Secure Internet-Connected Devices in the Hospitality Industry

In mid-February, I participated on a panel focused on securing Internet of Things (IoT) devices in the hospitality industry. This event was sponsored by CLM (Claims and Litigation Management).

Have you ever thought about how IoT devices are used in the hospitality industry?  They are used in hotels much like their use in smart homes. Think about it: you have smart thermostats adjusting room temperatures before guests arrive, smart irrigation systems controlling water flow remotely, monitoring devices for seasonal resorts that are closed in the off-season, smartphones which act as door keys, connected alarm clocks to ensure that the time is correct in all rooms, virtual concierge apps and connected telephone speakers that respond to your requests (a la Alexa). All of these devices have something in common: They use the public internet to communicate. These all provide expanded services either to the guest or to the property owner. Sounds great, right? What could go wrong?

Well, anything connected to the internet is at risk. In the case of these IoT devices, security was not at the top of mind when they were developed. Most were built without basic security principles in mind like device authentication, inability to change default passwords, secure update methods and basic firewalls. Unfortunately consumer devices are built in a very competitive environment where time to market and low cost are the primary factors. Security is an afterthought and is seen as a “tax” rather than a necessity. Cybercriminals are always looking for entry ways into the network and these devices provide an easy method to gain access.

Who would take advantage of such weaknesses in the hospitality industry? Someone with motive and opportunity. Perhaps a disgruntled guest who happens to be a hacker. Or maybe a terminated employee with some computer skills. What damage could they cause? They could install ransomware, which is used to lock out legitimate users until a ransom is paid to the attacker, frequently using an untraceable currency, like Bitcoin. They could compromise the devices by installing new firmware which turns them into remotely controlled bots.

Suddenly, sprinkler systems start to activate in a thunderstorm and room temperatures are turned up to 90 degrees in the summer. Seasonal resorts start getting high utility bills when no one is there. They could also network these compromised devices to create a “botnet” which could then be used to launch a Distributed Denial of Service (DDOS) attack on an external target. This is precisely how the Mirai attack occurred which took down several companies and educational institutions.

During the discussion, the panelists collectively agreed on the following recommendations:

  1. If it doesn’t need to be connected to the internet, don’t connect it.
  2. Look for “mature” devices when sourcing solutions. Buy from vendors that have been in the market a while and not first generation products.
  3. Change default passwords immediately.
  4. Regularly update the firmware/software on the device.
  5. Regularly inventory IoT devices on the property so you know what you have in case of product recalls or updates. Ensure IT is managing them.
  6. In case of compromise, disconnect devices from the network and notify authorities as soon as possible. Do not power down until authorities tell you to do so.

IoT devices create an expanded attack surface for the hospitality industry which most properties are either unaware of or unprepared for. By following the recommendations above, the industry is taking the right steps to insure safety and security for its hotels and resorts.

A Public Key Infrastructure (PKI) solution can help solve many of these issues for the manufacturers of these devices. PKI provides several properties: authentication, integrity, non-repudiation and encryption. So, when it comes time to authenticate a device, perform an over the air software update or encrypt communications between devices, PKI’s role is clear. Most companies are not experts in deploying a PKI solution. DigiCert offers a complete outsourced service which frees up the manufacturers to build and sell products without worrying about the PKI lifecycle.

Posted in Authentication, Internet of Things, PKI