Analyzing Hilton's decision to allow guests to use smartphones as room keys

Move seen by experts as a validation of the industry’s push towards more mobile access solutions


Last month, Hilton Worldwide, which operates more than 4,000 hotel and timeshare properties in 93 countries around the world, announced that that it would allow guests to use their smartphones as room keys as part of its new digital strategy. In a statement, Christopher J. Nassetta, president and chief executive officer of Hilton Worldwide, said that the company has spent the past several years testing different options to make this a reality and that they are "developing proprietary technology" that is safe, reliable and cost-effective.

The access control industry, as a whole, has been pushing smartphones as the "keys of tomorrow" for several years. However, the implementation of these solutions - be it through the use of near field communications (NFC) or Bluetooth technology – have been slow to materialize.

The fact that a major hotel chain like Hilton will have the majority of its 650,000-plus rooms worldwide equipped with this technology by the end of 2016 could be a game changer for the industry moving forward.

"The smartphone access control business, from our perspective, is growing nicely," said Paul Bodell, president and CEO of ECKey, which designs and manufacturers smartphone access control systems. "Anytime an end user acknowledges that cards are antiquated… it’s beneficial to our business and the smartphone access control industry as a whole."

Terry Gold, founder of IDanalyst, a vendor-neutral research and advisory firm focused on security, identity and privacy, said that while Hilton’s announcement does indeed validate the trend that the access market is going mobile, it does not validate the technology itself, which he believes is still unsecure in terms of its exploitability.

"At the end of the day, in my opinion as an analyst, we all know mobile is where (the market) is going. Each one of us, we want everything on our mobile," explained Gold. "I think Hilton’s announcement just further validates large organizations agree with that and they see the same thing from their consumers. I think it validates the culture, the demand, the direction, but they have not disclosed the technology that they plan to do this with. What were the controls? They mention that they’re going to be using proprietary technology. We don’t know if that is something they’ve completely developed or partially developed. But, what we do know about mobile is that it is incredibly unsecure right now. The mobile platforms are very unsecure in terms of being able to exploit them."

According to Bodell, there are really two ways to approach the mobile access market. The first is using Wi-Fi as a connection and having readers connected to panels that tie into a network which then connects to an app on a phone. Bodell said that many people are still comfortable with this as a viable option. The other option is to go with a smartphone-based access system which eliminates the need for panels, servers and network connections at the site, as the reader essentially becomes a "dumb actuator" and all of the intelligence is done remotely through phone.

Although he characterized the mobile world as a "complete Wild West" where there really is no governance or regulation, Gold did say that smartphone access would be an improvement over current hotel door security methods, which typically employ magstripe card readers.

"We know that magnetic stripe is not secure at all from a card standpoint," added Gold. "But the locks actually function differently from an access door reader, so you can copy the credential. Manipulating the lock is a little bit different but it can be done. We don’t have insight into whether Hilton is going to use the same lock methodology of how those keys actually work, because those locks generally don’t call an access control system, it uses a time and counter which is how they work, so are they going to make their locks call some type of central access control? That would be the efficient way to do it. If they do that, it opens up some other possibilities and expands the attack surface. I think mobile is great, it all depends on a) how it’s implemented, b) how it’s validated, and c) what is the risk assessment relative to the controls and demands of security.”

This content continues onto the next page...