As AI in Hotels Advances, So Too Should Cybersecurity Posture
The Henn na Hotel in Japan is the first hotel to be fully equipped with robots: The front desk is manned by a humanoid female, an adorable bot dinosaur helps with on-boarding, while porters (also bots) help to move guests’ luggage into their rooms. Some may find this odd (and in fact, the hotel name translates to the ‘Strange Hotel’), but there are some major cost savings related to using this technology – not just in time, workforce and energy savings for the hotel, but also savings for guests – the estimated cost for a stay for a night is around $73.
While Artificial Intelligence is being embraced by many brands for a more convenient customer experience (think Starbucks, Taco Bell, Lowe’s and even Sephora), the hospitality industry is quickly learning that it doesn’t come without risk. Security engineer Lance R. Vick learned of this first hand after making public a vulnerability he discovered at the Henn na Hotel.
The Details of the Breach
Since the public has caught wind of the incident, the hotel chain has announced that it recently made a modification to 100 egg-shaped bedside robots to prevent an exploit that would give hackers in-room camera and mic access. Vick took to Gizmodo to explain what happened:
“I wear an NFC ring, and as I was exploring the back of the device with my hands, it generated a ‘boop’ –evidence of a hidden NFC reader. I put my ring on the area again, which has an embedded URL. Sure enough, the screen broke out of the ‘eyes’ app into the main Android interface and launched a browser. From there, I found a random APK file which prompted the ‘go to settings to enable untrusted apps’ notification, with a link to the ‘Settings’ app. I was then able to check ‘enable untrusted apps,’ install any app I wanted and set up said app to run on boot. In the most obvious and dangerous case, I could have installed VLC or another network streaming app to spy on future guests.”
In short, the bed-facing robot at the hotel can be converted to offer anyone remote camera and/or mic access of its future guests. After Vick initially warned both the hotel and vendor (the devices are manufactured by MJI Robotics), he took to Twitter to express his concerns over the lack of immediate action.
H.I.S. Hotel Group (Henn na Hotel Maihama Tokya Bay parent company), acknowledged the breach, however responding with a short, “We apologize for any uneasiness caused.”
The Implications of the Vulnerability
According to the hotel chain, the unauthorized access of the bed-side robots (named Tapia) gives the ability for guests view the room remotely. So, while the bots offer helpful information such as weather and online shopping – it also allows guests to connect their smartphones.
H.I.S has also noted that there is no evidence of foul play, it has undertaken maintenance plans. According to the reporter who first broke the story:
“This was not the first time that the chain had become aware of the possibility of unauthorized access to its Tapia robots. On July 6, the chain received an email from a guest who pointed out a ‘security vulnerability’ in the robots.
After the development company behind the Tapia robots was contacted, it was determined that ‘the risk of unauthorized access was low,’ according to TV Asahi. The company also determined that the motivation of the guest was a monetary return. However, the network points out, the company put its guests at risk for three months.”
Best Practices for AI Risk
McKinsey & Co. released an April 2019 article titled ‘Confronting the risks of artificial intelligence,’ that talks about mitigating the risks of applying AI and advanced analytics for the enterprise. Noting that the potential for AI is enormous – McKinsey Global Institute research suggests that by 2030, AI could deliver additional global economic output of $13 trillion per year – it also reminds the hospitality industry that cybersecurity posture must also advance at the same pace.
There are data difficulties to watch (think CCPA), technology and process issues that can have a negative impact, the risk of models creating problems (by delivering biased results for example), and even interaction issues between people and machines. But, McKinsey offers three core principles to help:
- Use a structured identification approach to pinpoint the most critical risks.
- Institute robust enterprise-wide controls.
- Reinforce specific controls depending on the nature of the risk.
As AI advances within the hotel industry, cybersecurity cannot be forgotten. By sharing best practices like those learned from the Henn na Hotel vulnerability, executives can better protect themselves from the potential risks that come with this new technology. Until then, independent security analyst Graham Cluley warns, "Maybe privacy-conscious guests would be wise to not place too much trust in gizmo-obsessed hotels, and if they do find themselves booked into such a bonkers hotel room unplug any unnecessary robot gadgets."