Skip to main content

The Cybersecurity Risks of Mobile-First Hotel Technology

Features like contactless check-in and app-based room keys have provided guests with a seamless and safe hotel experience. However, it is important for hotel executives to be aware of the cybersecurity risks associated with mobile technology and the ways that cybercriminals can exploit these features for profit.
Advertisement - article continues below

The World Health Organization has officially declared that the COVID-19 pandemic is over, but many of the digital features that hotels implemented during the pandemic, such as mobile check-in, contactless payments, and app-based room keys, are here to stay. While these technological advances have improved the physical safety of guests, they are also an attractive target for cybercriminals, increasing the risk of cyber attack.

Cyber Attacks Targeting Hospitality

Hotels are seen as a lucrative target for cybercriminals due to their high volume of online transactions, loyalty accounts, and the amount of personally identifiable information (PII) and customer-related information they store. They also rely on a number of third-party vendors, which results in a frequent transfer of sensitive data. Compromise of one of these third parties could result in the attacker gaining access to the networks of the hotel chains they partner with, widening the data pool and increasing potential profit.

Often, these attacks begin with some type of social engineering, such as phishing, in which an attacker sends an email containing malicious links, designed to introduce malware into the company network. From there, the attacker may exfiltrate data, such as customer information and financial records, for their own use, or to sell on the dark web, or they may deploy ransomware, in an attempt to extort the hotel. Ransomware cases usually involve not only the exfiltration of data, but the shutdown of company systems, preventing the organization from doing business.

Adoption of Mobile Technology in Hotels

A recent study by guest engagement and integration platform, Criton, found that 80% of customers would be willing to download a hotel app in order to enable a contactless experience. Mobile apps offering contactless check-in and keyless room access have been crucial to the industry’s survival and resurgence, leading hotel brands to incorporate more and more of their services into these applications. Now, on many major hotel apps, guests can take a virtual tour of the facilities, book a reservation, check in, find local dining, contact the front desk, unlock doors, and check out, all from one convenient location. White-glove service has been replaced with hands-off service as the new industry standard for a positive guest experience.

The challenge for security teams, however, is to ensure that this increase in mobile app usage does not come with an increase in cybersecurity risk.

Mobile App Room Keys

One of the benefits for customers of using a hotel’s mobile app is the ability to enjoy contactless check-in by using their phone as their hotel room key. While this is convenient for both the guest and the short-staffed front desk, it poses yet another opportunity for cybercriminals.

When a guest receives their confirmation email, they are prompted to download your mobile app. The property management system lets the app know when the guest is checking in and sends a secure digital key to the user’s phone, allowing them to use their phone as their key for the duration of their stay.

The password on the user’s phone acts as a first line of defense against use if stolen. The user can also require a password or ID to use the app to unlock the door, an additional layer of password protection. Then there are the security measures related to the transmission and storage of the mobile key. The mobile key should only be able to be passed when the smartphone is within range of the lock, and that transmission should be encrypted with modern encryption standards.

The key information also needs to be safely stored before it is transmitted to the phone, in other words, when it is in your property management system, as well as after it arrives at the user’s phone, which would be a secure key vault within the mobile app. The mobile key solution you use also needs to be able to immediately revoke access upon checkout and include an audit trail, so you’re able to investigate suspicious activity.

Property Management Systems (PMS)

Whether hotels have adopted mobile app keys or are still using key cards, the digital key for guests’ rooms must be verified and issued from a property management system (PMS). These systems are an attractive target for cybercriminals as they interface with numerous other services in the property’s IT environment, allowing them to serve as a gateway to valuable information such as financial data and customer records containing PII.

In response to this threat, the National Institute of Standards and Technology (NIST) worked in collaboration with the hospitality community to release a document offering guidance on improving the security of your PMS. This publication outlines an ideal for system implementation, including controls that you should put in place to limit system access and lateral movement through your network, should an attacker gain access to one piece of your IT infrastructure. Security teams can use this guide to make tactical improvements, and executives can gain a greater understanding of the risk that property management systems pose.


As mobile and IoT devices become essential, guests need reliable hotel Wi-Fi more than ever, but Wi-Fi networks can be another source of cyber risk for hotels and their guests.

DarkHotel is an advanced persistent threat group known for using hotel Wi-Fi networks to gain access to specific targets. These attacks will often begin with a phishing email containing malware that, once launched, will be used to scan for reservations involving high-value targets such as political figures or business executives. Attackers will then infect the Wi-Fi network prior to the targeted guest’s stay in order to install malware on the victim’s computer and exfiltrate their data.

Once again, prevention of this type of attack comes back to having security best practices in place, such as systems and training to prevent successful phishing attempts. Another important protection measure to limit the scope of these attacks is separating your guest Wi-Fi from your business Wi-Fi, so an attack on one does not as easily compromise the other. 

Defending Against Cyber Attacks

Modern hotel technologies like mobile-based keys and IoT devices offer numerous benefits to both the customer and the business, but only when proper security measures are in place.

While attacks on mobile phone key systems may not be widespread yet, cybercriminals are known for adapting their attacks to exploit the latest technology, so it is likely only a matter of time before these systems come under greater scrutiny. Hotel business leaders can get ahead of this risk by working with their third-party vendors to ensure that their key system, their property management system, and any integrations between them are as secure as possible. The security team should also be collaborating with your internal application security team or outsourced development team to ensure that your mobile app is following mobile application security best practices.

Finally, make security a part of your company culture. The majority of breaches come from a successful phishing attack or compromised credentials. Ensure that your email security solution is preventing modern targeted attacks, and that you are providing security awareness training to your staff.


Suzie Squier is the president of the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC), a global, non-profit organization whose mission is to build a collaborative sharing community that enables consumer-facing organizations to strengthen information security capabilities and defend against cyber threats. Prior to joining the RH-ISAC, Squier was senior executive vice president of member services for the Retail Industry Leaders Association (RILA) where she established the RH-ISAC (then named the Retail Cyber Intelligence Sharing Center) in 2014. She has spent her career working in non-profit membership organizations. She is a member of the National Council of ISACs and a graduate of the University of Maryland.

This ad will auto-close in 10 seconds