Imagine this: I’m a woman traveling through Europe by myself, and I’ve booked a night at a prestigious hotel. Because the room keys are digital, the hotel has requested that I download their app to my mobile device. I use my phone to unlock my hotel door, and because I’m traveling alone, my primary concern is to remain safe as any stranger can gain access to my room manually or digitally due to the digital key. So how can I protect myself digitally as well as in-person? In this blog, we’ll discuss the top 4 attacks on hotel mobile apps and how to prevent them.
Hackers are targeting Hotel Apps
With the pandemic dying down, millions of new travelers are booking flights, making hotel reservations, or paying for rideshare services through their mobile apps. Hotel apps have become an increasing target for hackers. After the retail industry, hotels have the second-highest number of breaches, according to PWC’s Hotel Report from 2018-2022. 74 percent of hotels, according to the same survey, lack breach protection. Hotels are attractive to hackers because they collect personal and financial data and have many data touchpoints, each of which could expose data. Hotel apps are evolving into Super Apps that offer numerous services such as payment methods, navigation, in-hotel event bookings, reservations, and more. Because hotel apps can be used for a variety of functions and features, hackers may see this as an opportunity to exploit them. Personal user data is even more sensitive due to the different functionalities and frequent data sent between partners on a hotel app. As a result, there is a considerable risk of personal user data being exposed, and hotel apps must fortify themselves to be professional and trusted.
How Hotel Apps Should Protect Against Security Threats
Many hotel apps are vulnerable to malicious threats due to their convenience and functionality but because they hold a high value such as your payment methods, and sensitive personal data, they are highly targeted by hackers. Also due to the easy nature of hotel apps and their bandwidth, hotel app security is neglected, exposing them to major flaws that can reveal passwords in plaintext, leak account credentials, and expose users to data collection, phishing attacks, and even cybercrime. Because sensitive data like emails and personally identifiable information (PII) is transmitted across distribution channels, hotel apps should ensure that consumers do not save credit card information in their hotel apps, thus reducing the danger of being exposed. Hotels apps should also use PCI or comparable standard verifications to check typical best practices like firewalls, data transmission, and storage encryption.
Travel Industry Cybersecurity Checklist – Top 4 Ways to Protect Hotel Mobile Apps
Prevent Mobile Data Breaches in Hotel Apps
In a Man-in-the-Middle Attack, hackers place themselves in between the mobile user and the remote service or server that the user is trying to reach. These two trusted parties believe they are conversing with one another, but they are just communicating with the hacker. A Man-in-the-Middle Attack can be carried out by hijacking the user’s session when they initially try to connect to their destination. Hackers attempted this session hijacking to encrypt and erase a well-known hotel’s internal guest reservation data to gain access to client information by utilizing disabled employee login credentials. Because hackers could easily access account passwords, payment card information, contact information, Loyalty account information, and current hotel selections, this posed an immediate threat.
To combat a Man-in-the-Middle Attack, we recommend implementing Trusted Session or Certificate Pinning. These prevent Man in the middle attacks by validating the authenticity of the servers’ certificate and dropping the connection if the certificate is not valid or does not match a known trusted certificate. Trusted Session can also be combined with other features such as Data at Rest Encryption to protect against Encrypted Strings, Preferences, and in-app resources (which is where usernames and passwords are stored for iOS and android hotel apps).
Defend Hotel Apps Against Synthetic Fraud
Mobile apps connect to all sorts of external services. They connect to their host server to authenticate users, to download content, to connect to other mobile resources, and more. When a researcher requested reservation information from a popular hotel’s mobile app server, he discovered there was no authentication method in place. He modified the rewards program number in his request and was able to look up the reservation of any hotel guest. He obtained sensitive user information from the server, including the hotel name, the guest’s last name, the check-in date, and the reservation ID.
You need synthetic fraud defense to prevent these types of threats so a hostile hacker’s bogus request for a back-end query can be avoided. To achieve this, we recommend having a Mobile Client certificate that protects the mobile application’s servers or backend from compromised endpoints, such as malicious bots. The trusted client certificates are stored securely (encrypted) inside the mobile app. You can also protect your hotel app and its users’ identities by blocking future bots or malicious endpoints from connecting to and/or reaching secured hosts and back-end servers.
Since the researcher was able to obtain user data, there may have been data breaches in the hotel’s mobile app’s reservation process, allowing hackers to commit credential theft, account takeover, or other harmful activities that could result in a user’s personal privacy and data being compromised. To defend against this, we advocate using Data at Rest Encryption so, you can protect your hotel app and user data to prevent data breaches using advanced white box cryptography, and threat aware encryption keys to encrypt your hotel app’s sandbox, files, strings, resources, preferences, strings, native libraries, and more.
Block Anti-Debugging Tools to Prevent Hacking of Hotel Mobile Apps
A hotel app is designed in a specific manner with unique algorithms and data. Unfortunately, there are malicious cyber attackers that want to steal, read, and change the unique code used to design your hotel’s app. Researchers at a conference were able to break into a guest room using a Man-in-the-Middle Attack as an inspection tool to capture important data, but the primary attack occurred when debugging tools were used. The hotel was using a mobile key system that featured doors with IoT locks and because the hotel’s mobile app communicated with these locks via Bluetooth Low Energy (BTLE), the researchers were able to collect and analyze the system’s BTLE traffic. They logged the traffic locally using Android devices and enabled ‘debug’ mode, activating the HCI snoop log. While on iOS devices, they installed the Apple Bluetooth Debug Certificate and used wireless sniffing to monitor traffic. They also analyzed credential packets to discover that the mobile key system was vulnerable to a key stealing attack, allowing them to bypass the vendor’s replay protection.
To protect your hotel app from debugging tools, we recommend blocking Debugging Tools on iOS and Android. Adding anti-debugging protection to your hotel app will block any debugging tool or hacker from reading and analyzing your hotel app’s code.
Protect Mobile Apps with Jailbreak and Root Detection
Hackers jailbreak iOS & root Android devices to unlock/control the OS and escalate administrative privileges. Once they control the OS, they usually try to disable security protection. A researcher recently hacked into 119 cubby rooms of a Japanese capsule hotel. His attack consisted of using a Man-in-the-Middle Attack to gather data such as the access point of the Nasnos remote device used to control the hotel room’s operations (lights, door, etc.) He used methods such as “patching” or “hooking” the app to disable the guided access to get full control of the device. His Man-in-the-Middle Attack captured exactly which commands signaled each of the remote’s actions. By these actions he could emulate commands for any of the hotel’s 119 cubbies.
Situations such as this are essentially very dangerous as any malicious hacker or attacker can jailbreak or root a device to gain full control of a room’s operations and functions, maybe even attempt a robbery! To protect your hotel app and its users from such attacks, we recommend that the user/admin be notified of the jailbreak or rooting upon detection and to use Jailbreak Prevention and Root Prevention that will detect if an app is running on a jailbroken device and shut itself down.
We’d love to help stop these top cyber attacks in your Hotel App
People prefer to use their mobile devices for most activities, such as booking reservations, making payments, creating to-do lists, and so on, as our world becomes increasingly digital by the minute. Due to this, hotel apps are becoming a more prominent choice for a customer’s travel journey. I would love to assist you with your security project and help any hotel apps achieve their cybersecurity difficulties. Let us show you how to safeguard your mobile app from attackers. Please contact us for a demonstration!