twitter facebook rss

Key Card Ransomware: News versus FUD

Posted by on January 30, 2017.

On the 28th January 2017, a news site reported that Hotel ransomed by hackers as guests locked out of rooms. The story initially claimed that a ransomware gang had been able to compromise systems in the Romantik Seehotel Jägerwirt in Austria including the key card registry system, even managing to lock guests into their rooms. The Local site later amended the article to explain that the claim that guests were unable to leave their rooms was ‘due to a misunderstanding’.

Bleeping Computer’s Catalin Cimpanu was rather more alert on the fact-checking front and pointed out that while :

Fire code regulations all over the globe mandate that electronic key locks to open manually from the inside, which means no guest was locked inside their rooms. Additionally, electronic key systems are also created to handle power failures, so there was a way to open the doors from the outside, meaning no one was locked out either.

Graham Cluley also added a healthy dose of scepticism to the mix

Why would a hotel announce that they had failed so spectacularly at securing their systems, and inconvenienced hundreds of their guests? Where were the quotes from aggrieved hotel guests who were locked in their rooms?

In fact, it appears that the hotel’s reservation and cash desk systems were also hit: the hotel opted to pay the €1,500 ransom so that they could confirm bookings and arrivals, generate new key cards and so on. But also hardened its security systems so that a fourth attack failed, and is planning to replace its electronic room locks with traditional non-electronic door locks as part of its next refurbishment. There’s a lesson there for anyone who hasn’t yet noticed that the Internet of Things is at best a mixed blessing…

Several of the sites that originally uncritically accepted the story about guests being locked in have, fortunately, updated their stories to make them more accurate. I suspect, though, that there are ‘fire and forget’ journalists and bloggers who have simply moved onto the next media sensation. Enough, perhaps, to inspire a successor to the long-lived but wildly inaccurate claims that hotel key cards contain personal information about the guest and so pose a threat to their financial security, though I sincerely hope not. Still, in a post-truth age of alternative facts and fake news…

Graham goes further, suggesting that:

 I wouldn’t be surprised to hear computer security firms trotting the dubious anecdote out as evidence of the danger posed by ransomware for years to come.

Well, he has a point. Personally, I’m waiting for hype-happy next-gen vendors (or their partners) to claim that this is another failure of mainstream security products and we should be using their products instead. (That started out as a tongue-in-cheek remark, but given some of the outrageously deceptive marketing and inverted logic that comes out of one or two companies in that space I have a feeling it might just happen.)

David Harley

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: David Harley | Tags: , , ,