

Hilton Hotel Guests Will Be Able to Use Smartphones as Keys or to Choose Rooms - trader
http://online.wsj.com/articles/hilton-books-upgraded-technology-1406503197

======
wwwwwwwwww
I look forward to reading the breakdown on how bad the security for this
system ends up being.

I can see it now - each lock would be connected to the hotel's wpa-wps network
(shared with the guests of course) and use a dhcp server without static routes
to assign IP addresses. Maybe if we're really lucky they'll be using some
consumer-grade cisco switch with last year's firmware update.

Snark aside, they have to be _really_ careful not to fuck this up. There's so
many potential attack vectors in this kind of system it's nuts.

~~~
superuser2
My favorite attack on hotel security is much simpler: the front desk will
willingly print you a key for _any_ room.

Hold out your keycard and ask for a duplicate. Do they take your card and
swipe it? No. They ask for your room number, type it into the magstripe
machine, and print you a key for whatever room number you just gave.

No electronics, skill, or even malicious intent necessary (you just "forgot"
your actual room number). Look and act like you belong, and make a run-of-the-
mill request. Discovered this by accident when I was ~12 and wanted to go to
the pool by myself. Never actually tried to get a card for another room, but
never had the desk actually verify my rights to the room when requesting an
extra keycard either.

~~~
cafard
Maybe if you're 12. This spring I had to present my ID to get a replacement
for a dead key in Philadelphia.

~~~
superuser2
No it still works. I mostly travel in the Midwest, though, so maybe security
standards are just a little lower in Lawrence, KS than the big cities.

------
omarali
non-paywall link
[http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd...](http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CDYQFjAA&url=http%3A%2F%2Fonline.wsj.com%2Farticles%2Fhilton-
books-upgraded-
technology-1406503197%3Fmod%3Dyahoo_hs&ei=f-nWU4eKIartigKe3YCYBg&usg=AFQjCNFcjyFQ8rmrFmCCsRcv2ITZdPu1hA&sig2=OT1a7qibk-
SPLsD-VVyz9g&bvm=bv.71778758,d.cGE)

~~~
spindritf
I use RefControl[1] and set it to always forge referral on online.wsj.com and
send [http://google.com](http://google.com).

[1] [https://addons.mozilla.org/en-
US/firefox/addon/refcontrol/](https://addons.mozilla.org/en-
US/firefox/addon/refcontrol/)

------
lihorne
I guess the obvious concern is with someone figuring out a way to turn any
smartphone into a key to enter any room; I'm guessing it would be easy to do
given access to the person's email? Hopefully they make sure that it's done
right the first time before any kind of incident.

------
drakaal
OR not AND? Man I guess if I have to choose I'll choose to use it as a key,
and pick my room via my laptop.

Now if you could use the smartphone to do both, You might be able to choose
the room to have keys to, even if that room was not yours.

Ok, more serious. I like the idea of this. I have several AirBnB properties,
and this could make my life a lot easier. Though at the same time my
Girlfriend always finishes the night with her iPhone completely dead, so it
could also make things a lot more complicated.

All in all I like the convenience, and fear the security.

