Analyzing Hilton's decision to allow guests to use smartphones as room keys

Aug. 11, 2014
Move seen by experts as a validation of the industry’s push towards more mobile access solutions

Last month, Hilton Worldwide, which operates more than 4,000 hotel and timeshare properties in 93 countries around the world, announced that that it would allow guests to use their smartphones as room keys as part of its new digital strategy. In a statement, Christopher J. Nassetta, president and chief executive officer of Hilton Worldwide, said that the company has spent the past several years testing different options to make this a reality and that they are "developing proprietary technology" that is safe, reliable and cost-effective.

The access control industry, as a whole, has been pushing smartphones as the "keys of tomorrow" for several years. However, the implementation of these solutions - be it through the use of near field communications (NFC) or Bluetooth technology – have been slow to materialize.

The fact that a major hotel chain like Hilton will have the majority of its 650,000-plus rooms worldwide equipped with this technology by the end of 2016 could be a game changer for the industry moving forward.

"The smartphone access control business, from our perspective, is growing nicely," said Paul Bodell, president and CEO of ECKey, which designs and manufacturers smartphone access control systems. "Anytime an end user acknowledges that cards are antiquated… it’s beneficial to our business and the smartphone access control industry as a whole."

Terry Gold, founder of IDanalyst, a vendor-neutral research and advisory firm focused on security, identity and privacy, said that while Hilton’s announcement does indeed validate the trend that the access market is going mobile, it does not validate the technology itself, which he believes is still unsecure in terms of its exploitability.

"At the end of the day, in my opinion as an analyst, we all know mobile is where (the market) is going. Each one of us, we want everything on our mobile," explained Gold. "I think Hilton’s announcement just further validates large organizations agree with that and they see the same thing from their consumers. I think it validates the culture, the demand, the direction, but they have not disclosed the technology that they plan to do this with. What were the controls? They mention that they’re going to be using proprietary technology. We don’t know if that is something they’ve completely developed or partially developed. But, what we do know about mobile is that it is incredibly unsecure right now. The mobile platforms are very unsecure in terms of being able to exploit them."

According to Bodell, there are really two ways to approach the mobile access market. The first is using Wi-Fi as a connection and having readers connected to panels that tie into a network which then connects to an app on a phone. Bodell said that many people are still comfortable with this as a viable option. The other option is to go with a smartphone-based access system which eliminates the need for panels, servers and network connections at the site, as the reader essentially becomes a "dumb actuator" and all of the intelligence is done remotely through phone.

Although he characterized the mobile world as a "complete Wild West" where there really is no governance or regulation, Gold did say that smartphone access would be an improvement over current hotel door security methods, which typically employ magstripe card readers.

"We know that magnetic stripe is not secure at all from a card standpoint," added Gold. "But the locks actually function differently from an access door reader, so you can copy the credential. Manipulating the lock is a little bit different but it can be done. We don’t have insight into whether Hilton is going to use the same lock methodology of how those keys actually work, because those locks generally don’t call an access control system, it uses a time and counter which is how they work, so are they going to make their locks call some type of central access control? That would be the efficient way to do it. If they do that, it opens up some other possibilities and expands the attack surface. I think mobile is great, it all depends on a) how it’s implemented, b) how it’s validated, and c) what is the risk assessment relative to the controls and demands of security.”

For the market to truly reach the tipping point, Bodell said that it going to take companies in the industry raising awareness that smartphone-based access systems are cheaper than card-based solutions and more secure.

"Once end user awareness increases that ‘yes, cards and FOBS and keypads have outlived their usefulness and we want to move over to something smarter,’ that’s the tipping point,” explained Bodell. "Every time a Hilton or Marriott or any of these companies come out with an announcement that says exactly that, ‘we realize people are tired of cards, they’re administratively burdensome, they’re expensive and they’re unsecure, but the phone addresses all of those issues.’ As long as that happens… I think (the tipping point) will come pretty quickly.”

Bodell emphasized, however, that people should not become so focused on new technologies that they forget about the customers they’re currently serving.  

"I think the most important thing that anyone has to understand is that technology is cool, but you can get too far out ahead of the market if you’re focusing just on technology," concluded Bodell. "What we’ve learned over the last couple of years since we moved our operation to the U.S. is that it would be really easy and nice to have a (smartphone access) system if the whole world had the latest and greatest iPhone. But the reality is… it’s still going to take five, six or seven years for there to be broad commercial adoption of those technologies. If you look at the U.S. today, 30 percent of the phones in use are not even smartphones, and if you look globally, 70 percent of the phones out there are not smartphones. We’re planning for the future with new and advanced technologies and, in order to satisfy customers today, we have to deal with what’s installed."  

Gold said that this is a good business move on the part of enterprises to implement mobile access capabilities, which provides a convenience factor on top of the access control infrastructure they already have in place.

"They’ve already replaced keyed locks with cards. If you look at Hilton, they already have cards for access. They don’t have keyed locks, at least most of them don’t," said Gold. "So, they’re not trying to replace the keyed lock; there’s more of a convenience and tying in with the business process, they’re workflow, analytics and intelligence and more on-demand services that are quicker and faster. I think they’re looking at the technology now saying, ’we’ve built up all of these services, we have intelligence layers, we’re not really connecting the mobile experience or mobile apps to how people use them and what intelligence and services we can provide back.’ I think they feel the technology in mobile is probably ready enough. Perhaps they are waiting for their own (product) development to get it to that point."