Securing the IoT: What Hoteliers Need to Know

The Internet of Things (IoT) has transitioned from buzz-word to business strategy. According to Juniper Research, some 38.5 billion IoT-enabled smart devices will be connected to the Internet by 2020, up from 13.4 billion in 2015. Not surprisingly, hotels are beginning to implement such devices — smart thermostats, lighting, and draperies, electronic door locks, and entertainment systems — to enhance the guest experience while improving operating efficiencies and controlling costs. However, much of the embedded firmware that runs on these devices remains unsecured. This could potentially leave hotel properties’ critical data even more vulnerable to the cyberattacks that already plague them. 

Here, experts share strategies for minimizing the risks inherent in an age of connected devices.

1. Learn how hackers harness unsecured IoT devices

Ted Harrington, executive partner at security research and consulting firm Independent Security Evaluators notes that in some cases, perpetrators tap directly into unsecured devices through the networks to which they are connected. Hackers then have a back door to other devices on that same network, enabling them to access data and transfer it to a chosen destination.

Several sources recount an incident of this type that occurred at an unnamed North American casino property. As reported by security firm Darktrace, criminals hacked into an unsecured, oversized fish tank that was being monitored via an Internet connection. Once “inside” the network, the perpetrators scanned it for other vulnerabilities. They then moved laterally across the network, accessing systems that contained several types of data that was then diverted to a device in Finland.  

In other situations, unsecured devices are hijacked en masse, bringing network traffic and IoT device activity to a standstill. Operators are then denied access to data and systems until the hackers’ demands are met. Such was the case at the Romantik Seehotel Jaegerwirt in Turrachehohe, Austria, whose electronic guest room locking system and front desk computers were recently infiltrated and rendered frozen by ransomware. Front desk staff could not program and issue key cards to arriving guests until the   hotel’s manager remitted 1,800 Bitcoin to end the DDoS attack. When the attack occurred in January 2017, one Bitcoin was valued at approximately $1,000 USD. As of November 2017, one Bitcoin is valued at approximately $7,500 USD.

Additional scenarios have involved successful attempts by hackers to access data provided by IoT devices to external websites hosted by their manufacturers, according to LG Electronics USA. There have even been instances where perpetrators posing as guests have hacked into properties’ databases by physically plugging their own devices into unsecured IoT devices in lobbies or other public areas.  

2. Exercise care when choosing IoT devices, vendors.

Purchasing only IoT-enabled devices that are intended for commercial installation is a must, says Jason McNew, CEO of cybersecurity consulting and services firm Stronghold Cyber Security. McNew and other sources note that commercial IoT-enabled devices typically incorporate more security features than IOT-enabled devices installed in homes. 

Jared Smith, a cyber security researcher at the Oak Ridge National Laboratory (operated by the U.S. Department of Energy), suggests vetting IoT vendors and shying away from any with multiple incidences of compromise in their records. Vendors that appear hesitant to commit to upgrading the security of devices and cooperating with hoteliers in doing so should be avoided, Smith advises.

3.  Adopt a multi-layered, multi-faceted approach to security

Contrary to what some operators may still believe, shoring up the security of IoT devices necessitates more than installing firewalls on network endpoints. A multi-layered, multifaceted approach is necessary to keep things airtight. 

Mushroom Networks recommends that in addition to installing firewalls to shield the sensors on IoT devices, hotels separate guest network traffic from business network traffic using software-defined architectures and multi-WAN firewalls or exploring other means of forging connectivity for IoT-enabled devices. This practice is critical given the fact that if networks remain unified, hackers could attack if a guest inadvertently connects their infected mobile phone, laptop computer, or other device to the infrastructure. If this option isn’t viable, operators should budget for the significant maintenance required to manage two entirely separate physical networks instead of one. The expense is worth it if it means avoiding a risky single-network configuration. 

A number of vendors have developed solutions designed specifically to support the use of software-defined networks and alternative means of establishing connectivity for IoT-enabled devices. FatPipe Networks ranks among the former, while Hologram touts an IoT connectivity platform.

Meanwhile, Harrington suggests that hotels adopt some form of IoT containment, wherein virtual, segregated “segments” exist within a single converged network. In this configuration, similar devices are grouped together and permitted to interface only with a select group of users and servers (IoT platforms). Network players like Alcatel-Lucent Enterprise have rolled out containment technology in recent years.

Starwood Hotels & Resorts practices IoT device containment, securing “secondary devices that might ride outside the administrative network in access-controlled, segmented zones,” says Edward C. (“Ted”) Hopcroft, director, IT, North America. Citing electronic door locking systems as an example of such devices, Hopcroft notes that containment makes it easier to restrict unauthorized access to IoT devices. It also supports a higher level of security because even if hackers infiltrate an isolated zone, they cannot use the IoT devices as an entrance to the network and the data that interests them.

Following a multi-layered approach to IoT security also means securing all devices that connect with other devices through the Internet, rather than just the obvious ones (e.g., IoT-enabled room locks, in-room energy management controls, draperies, and entertainment systems). IP-enabled video-surveillance cameras and digital signage systems fall into this category. In the fish tank hacking incident described in Tip #1, the perpetrators were able to steal 10 gigabytes of data from the property before being discovered. Security experts and vendors claim the incident would not have occurred had IoT security been extended to the tank in the first place.

“Hotel operators should consider solutions that prevent IoT devices from becoming vector points to access other parts of the hotel infrastructure by keeping tabs on their whereabouts and cutting off their functionality if something goes awry,” McNew states. For example, if a tablet installed in a guest room or meeting room to control such functions as lighting, temperature, or draperies is purposely or even inadvertently removed from that room, such technology would automatically disable it, potentially stopping an attack in its tracks.

4. Take additional precautions

Even a multi-layered, multi-faceted approach to security, coupled with networks, isn’t enough to completely guard IoT devices against hacking and other types of compromise. Re-setting default passwords on all devices is imperative, Smith observes, as is creating passwords that not only combine symbols with numbers and upper-and lower-case letters, but also exceed 26 characters in length. 

Absolute Software recommends that hotel operators ask themselves whether they truly are aware of which protocols and ports are communicating with each other on their networks. The rationale: There exist a handful of old protocols, such as KNX, that were not meant to be utilized in wireless configurations and afford no protection against sniffing and other attacks. Convergint advises its customers to utilize port-blocking technology. According to the company, many IoT devices also have universal plug-and-play (UPnP) ports. These ports should be disconnected because they can automatically poke “holes” in a router’s shield, making devices discoverable on the Internet and vulnerable to malware infection.

Authenticating devices and encrypting data should be standard procedure, points out McNew. Samsung offers an IoT management platform designed to streamline the process. Known as ARTIK, the platform uses a dual authentication to validate every IoT device on a given network; any device that does not properly authenticate is “walled off” from any other device on the same network. It also harnesses dual encryption as a data protectant.

Policies and procedures are also part of the precautions equation. Some hotels, including Starwood Hotels & Resorts properties, do not allow employees to use their own mobile devices for work purposes. 

“This way, we ensure that what’s connecting to our secure networks is properly managed, patched, and secured,” Hopcroft states. “For us, it’s the only way.”

As for other policies and procedures, sources advocate taking inventory of all IoT devices and, with the list in hand, creating policies that restrict access to individual devices and networks based on time of day, location, and roles/responsibilities. Network access management software should be used to govern any access at all times, Harrington advises.

5.  Test, test, and test some more

Some sources advocate building out and testing IoT solutions in a separate environment prior to going live, thereby ensuring that there are no security issues and allowing management and network issues to be handled proactively rather than reactively. Many of Samsung’s hotelier customers reportedly have set up “demo rooms” or experimentation centers where they explore new IoT options in a lifelike environment before undertaking a network integration project that may prove problematic for security or other reasons.

6. Don’t “set it and forget it”

IoT devices require continual monitoring in order to thwart hackers, Harrington says. Several vendors, including Aruba Networks and ZingBox, have introduced user and entity behavioral analytics (UEBA) solutions that harness machine learning and artificial intelligence to trigger an alarm when an IoT device starts acting unusually (for instance, an HVAC system suddenly begins to transmit large volumes of data to a location outside the hotel). Some solutions work in tandem with network access control systems to take an automated enforcement action when an attack is discovered, such as blocking, quarantining, or disconnecting all affected IoT devices from the network until remediation has been completed.

Finally, hotel operators must remain aware of firmware updates and the availability of new patches. 

“Get those on devices as close to the release as possible,” McNew advises. “Even with all the IoT security in the world, you have to stay a step ahead of the vulnerabilities.”