Why hackers target smart rooms

Nov 14, 2022 | Blog

With so many IoT devices connected to the internet and hotel servers, hackers will exploit weak points unless hotels take extra care

The proliferation of data in smart hotels has made security an even greater concern for hoteliers. Skilled hackers have always exploited vulnerabilities in data systems and even major groups like IHG, the Hilton and the Marriott have been compromised. With the Internet of Things (IoT) increasingly embedded in hotels, the amount of vulnerable personal data collected has increased exponentially.

Connecting rooms

In smart hotel rooms, everything from smart TVs, to light switches, thermostats and alarm clocks can be connected to the internet, the hotel’s servers and guest devices. The Marriott hotel group, for example, claims to have nearly 2,000 connected rooms in the US and is constantly adding more.

Guests enjoy the high-tech convenience and it brings in more revenue for hotels. But there’s a downside. Connected devices are generally vulnerable to security breaches. The sheer number of IoT devices in hotel rooms, which will only increase, provides hackers with significant opportunities to invade guests’ privacy and access their personal devices.

Ethical hackers expose risks

Ethical hackers have done a good job exposing vulnerabilities. When a researcher at security experts LEXFO was irritated by a noisy neighbour in a hotel, he hacked into his room at night. He taught him a lesson by turning his lights on and off and making his bed collapse.

The researcher told the Black Hat USA 2021 conference how he hacked the iPads controlling the room and found six vulnerabilities. He informed the hotel and they fixed the weaknesses.

Causing chaos

But the threats are even greater now. There was an eloquent illustration of the new data vulnerabilities from so-called white hackers at Black Hat USA in Las Vegas in 2019. The German team, called the Chaos Computer Group, hacked into a high-end hotel through an IoT-connected mobile key system that guests used in lifts, rooms and fitness centres. The warning should be clear to all hotel owners.


Even when ethical hackers reveal risks, hotels can be complacent. A couple of years ago, security researcher Lance R. Vick hacked into customer service robots at Henn-na Hotel in Nagasaki and made them spy on guests by controlling their cameras and microphones. Vick told the hotel, but they did nothing for 90 days and he went public.

Hoteliers tend to hush up details of hacks of IoT devices, but the scale of attacks suggests they’re happening often. According to security experts Kaspersky there were 1.5 billion attacks against IoT devices in the first six months of 2021 alone. Kaspersky says 43% of businesses fail to protect their full suite of IoT devices.

Famous hacks

September 2022, Holiday Inns by IHG was hit by a cyber-attack as it investigates “unauthorised access” to a number of its technology system causing disruption for “booking channels and other applications”. One of the most famous extraordinary cases involved hackers using a connected fish tank in a North American casino hotel to access the data of high-rolling gamblers in 2017. The hackers gained entry to the hotel servers through the fish tank’s thermostat. They extracted 10GB of personal data to a device in Finland.

An even more shocking example was when hackers spied on private discussions about the Iran nuclear deal at a five-star hotel in Geneva in 2015. One of the hackers’ methods was to access the talks through smart TVs in the meeting rooms.

High-profile brands still vulnerable

Guests might feel protected from hackers if they stay at hotels run by reputable household brands. But the evidence suggests any hotel can be hacked. Starwood Hotels was compromised in 2014, but the hack went unnoticed until 2018. By that time, Marriott owned the group. The hackers had been in the system for years ransacking hundreds of millions of pieces of data, including passport numbers, VIP status, email addresses and phone numbers.

Another big name, Hyatt, suffered compromised data in 2017 when hackers succeeded in accessing payment card information worldwide. The data was stolen from cards manually entered or swiped at the front desk. Similarly, Radisson suffered a data breach in 2018 that exposed personal details, including names, home addresses and email accounts.  

In March 2022, “Conti” hacker group breached the internal IT systems of German hotel group – Welcome Hotels – and as a result had to install an entirely new IT system. 

The main weak points

Weak points in hotel systems can be loopholes in software, or poorly designed network systems that hackers can exploit. But there are also major threats from careless employees who leave computer systems logged on, or use their personal devices for official tasks.

Other important threats come from malware sent to inadequately protected hotel computers, the careless disposal of personal data without strong security measures, and insider threats from untrustworthy employees.

Six ways to protect your data
So what can hotels do to mitigate the risks?

Trustworthy tech partners

  1. A priority is to work with technology companies that take care to comply with all data security standards, such as SIHOT, the PMS provider. SIHOT also has the advantage of having locally-based data centres, which helps to mitigate against the theft of information.

Cyber-security training

  1. Employees represent one of the biggest vulnerabilities of the system. They need training from an expert about cybersecurity and information security. For example, they should be taught how to identify phishing email attacks. Many hotels fail to carry out routine training.

Select the right security tools

  1. Use cybersecurity tools. It is critical to have high-performing security tools such as firewalls, network monitor, traffic filter, and anti-malware. Hotels should and choose the best ones for their budget and needs. It’s best to select a cybersecurity provider with expertise in IoT protection as well as network security. Take advice from security experts if you’re not sure.

Get the basics right

  1. It’s concerning just how many hotels fail to change the default usernames and passwords on all their devices. This is a basic security measure that you should adopt as a matter of course, or hotels will fall prey to botnet attacks.

Screen your staff

  1. Your staff should be carefully screened to make sure they don’t carry an insider threat. And don’t be too trusting of technicians, or maintenance teams coming in to work in the hotel. There should be no unauthorised access to connected hotel computers.

Isolate your IoT devices

  1. All your business operating devices should be placed on a network that operates separately from the hotel server. Any IoT devices that do not require internet access should be isolated from the worldwide internet. If there are private discussions in a room, it’s safest to unplug all TVs and VUIs.

SIHOT works with hotels as long-term partners to ensure technology provides efficiencies and protects the business from outside threats.