Imagine this: I’m a woman traveling through Europe by myself, and I’ve booked a night at a prestigious hotel. Because the room keys are digital, the hotel has requested that I download their app to my mobile device. I use my phone to unlock my hotel door, and because I’m traveling alone, my primary concern is to remain safe as any stranger can gain access to my room manually or digitally due to the digital key. So how can I protect myself digitally as well as in-person? In this blog, we’ll discuss the top 4 attacks on hotel mobile apps and how to prevent them.
Hackers are targeting Hotel Apps
With the pandemic dying down, millions of new travelers are booking flights, making hotel reservations, or paying for rideshare services through their mobile apps. Hotel apps have become an increasing target for hackers. After the retail industry, hotels have the second-highest number of breaches, according to PWC’s Hotel Report from 2018-2022. 74 percent of hotels, according to the same survey, lack breach protection. Hotels are attractive to hackers because they collect personal and financial data and have many data touchpoints, each of which could expose data. Hotel apps are evolving into Super Apps that offer numerous services such as payment methods, navigation, in-hotel event bookings, reservations, and more. Because hotel apps can be used for a variety of functions and features, hackers may see this as an opportunity to exploit them. Personal user data is even more sensitive due to the different functionalities and frequent data sent between partners on a hotel app. As a result, there is a considerable risk of personal user data being exposed, and hotel apps must fortify themselves to be professional and trusted.
How Hotel Apps Should Protect Against Security Threats
Many hotel apps are vulnerable to malicious threats due to their convenience and functionality but because they hold a high value such as your payment methods, and sensitive personal data, they are highly targeted by hackers. Also due to the easy nature of hotel apps and their bandwidth, hotel app security is neglected, exposing them to major flaws that can reveal passwords in plaintext, leak account credentials, and expose users to data collection, phishing attacks, and even cybercrime. Below are some of the top ways developers can protect hotel and travel mobile applications.
Travel Industry Cybersecurity Checklist – Top 4 Ways to Protect Hotel Mobile Apps
-
Prevent MiTM Attacks in Hotel Apps
In a Man-in-the-Middle Attack, hackers place themselves in between the mobile user and the remote service or server that the user is trying to reach. These two trusted parties believe they are conversing with one another, but they are just communicating with the hacker. A Man-in-the-Middle Attack can be carried out by hijacking the user’s session when they initially try to connect to their destination. Hackers attempted this session hijacking to encrypt and erase a well-known hotel’s internal guest reservation data to gain access to client information by utilizing disabled employee login credentials. Because hackers could easily access account passwords, payment card information, contact information, Loyalty account information, and current hotel selections, this posed an immediate threat.
To combat a Man-in-the-Middle Attack, we recommend implementing certificate validation or Certificate Pinning. These prevent Man in the middle attacks by validating the authenticity of the server certificate and dropping the connection if the certificate is not valid or does not match a known trusted certificate. Encryption should also be used to protect data at rest, as well as sensitive information that can be harvested from the application’s strings or app preferences.
-
Defend Hotel Apps Against Bypass Tools
Mobile apps connect to all sorts of external services. They connect to their host server to authenticate users, to download content, to connect to other mobile resources, and more. Researchers have shown that they could gain unauthorized access to the hotel backend servers by learning how the app’s authentication flow works and then masquerading as a legitimate endpoint in order to fake out the backend server into thinking it was legitimate. Once inside, the researcher modified the rewards program number in his request and was able to look up the reservation of any hotel guest. He obtained sensitive user information from the server, including the hotel name, the guest’s last name, the check-in date, and the reservation ID. This was all possible using open source tools and analyzing the app’s code and behavior using static and dynamic reverse engineering.
To prevent such an attack, you could use Mobile Client certificates that protect the mobile application’s servers or backend from compromised endpoints, such as malicious bots. The trusted client certificates are stored securely (encrypted) inside the mobile app. You can also protect your hotel app and its users’ identities by blocking malicious bots or endpoints from connecting to and/or reaching secured hosts and back-end servers.
-
Block Anti-Debugging Tools to Prevent Hacking of Hotel Mobile Apps
A hotel app is designed in a specific manner with unique algorithms and data. Unfortunately, there are malicious cyber attackers that want to steal, read, and change the unique code used to design your hotel’s app. Researchers at a conference were able to break into a guest room using a Man-in-the-Middle Attack as an inspection tool to capture important data, but the primary attack occurred when debugging tools were used. The hotel was using a mobile key system that featured doors with IoT locks and because the hotel’s mobile app communicated with these locks via Bluetooth Low Energy (BTLE), the researchers were able to collect and analyze the system’s BTLE traffic. They logged the traffic locally using Android devices and enabled ‘debug’ mode, activating the HCI snoop log. While on iOS devices, they installed the Apple Bluetooth Debug Certificate and used wireless sniffing to monitor traffic. They also analyzed credential packets to discover that the mobile key system was vulnerable to a key stealing attack, allowing them to bypass the vendor’s replay protection.
To protect your hotel app from debugging tools, we recommend blocking Debugging Tools on iOS and Android. Adding anti-debugging protection to your hotel app will block any debugging tool or hacker from reading and analyzing your hotel app’s code.
-
Protect Mobile Apps with Jailbreak and Root Detection
Hackers jailbreak iOS & root Android devices to unlock/control the OS and escalate administrative privileges. Once they control the OS, they usually try to disable security protection. A researcher recently hacked into 119 cubby rooms of a Japanese capsule hotel. His attack consisted of using a Man-in-the-Middle Attack to gather data such as the access point of the Nasnos remote device used to control the hotel room’s operations (lights, door, etc.) He used methods such as “patching” or “hooking” the app to disable the guided access to get full control of the device. His Man-in-the-Middle Attack captured exactly which commands signaled each of the remote’s actions. By these actions he could emulate commands for any of the hotel’s 119 cubbies.
Situations such as this are essentially very dangerous as any malicious hacker or attacker can jailbreak or root a device to gain full control of a room’s operations and functions, maybe even attempt a robbery! To protect your hotel app and its users from such attacks, we recommend that the user/admin be notified of the jailbreak or rooting upon detection and to use Jailbreak Prevention and Root Prevention that will detect if an app is running on a jailbroken device and shut itself down.
We’d love to help stop these top cyber attacks in your Hotel App
People prefer to use their mobile devices for most activities, such as booking reservations, making payments, creating to-do lists, and so on, as our world becomes increasingly digital by the minute. Due to this, hotel apps are becoming a more prominent choice for a customer’s travel journey. I would love to assist you with your security project and help any hotel apps achieve their cybersecurity difficulties. Let us show you how to safeguard your mobile app from attackers. Please contact us for a demonstration!
