Hotel Mobile Keys must be secure — Photo by LEGIC Identsystems AG

We live in times where nothing seems to be safe. Every day, we read about tech hacks, industrial espionage, data thefts and much more in the business world. The well-known statement that there is no absolute security applies to any technology used for security purposes. However, the risk of a security breach can be significantly reduced by the correct application and combination of suitable security measures.

The number of break-ins increases every year, our magnetic-stripe bank cards can get cloned, secret services are spying on our e-mails and phishing mails want to access our accounts. Nowadays, everything has to be doubly and triply secured, regulated, standardized and certified for us to feel safe and secure.

In December 2016, the Chaos Computer Club stated that they hacked a padlock product and its accompanying mobile app which communicates via Bluetooth Low Energy (BLE) to the padlock. This could potentially affect also hotels with mobile room keys as their door locks also communicate with smartphones via BLE technology and exchange confidential information. LEGIC, a Swiss security company, is specialized in end-to-end security for preventing hacking of such mobile ID solutions.

Mobile room keys
Today, more and more hotels implement mobile room keys in their mobile apps as guest experience and guest engagement through an app is becoming more important. Mobile room keys are fundamental for several major benefits: Guests don't need to check-in at the reception and wait for their key cards. Booking their favorite room in advance and receiving the room keys directly on their smartphones or extending their stay without waiting again in line at the reception are just a few of the advantages to mention.

Although mobile room keys are loved by many hotel guests, the connection to transmit sensitive data must be secured. If the complete mobile key system in the hotel were to be hacked, the hackers could have access to every single room in the hotel. As a worst-case scenario, the hotel needs not only to discontinue the mobile key function, but also to reconfigure every room key, and at worst, needs to upgrade the hardware of all door locks. As a result, the hotel's reputation is damaged and the costs are enormous.

Security in the world of mobile ID
To achieve a high security level, the entire system must be comprehensively examined and a variety of security measures must be considered. The mobile device, typically a smartphone, has access to the Internet, which opens the risk of remote attacks. As today's mobile apps have no ubiquitous access to an on-device hardware secure element across all smartphone models, they have limited power to protect their sensitive data, such as encryption keys, ID-rights, critical program code. A solution which does not store data encryption keys in potentially vulnerable mobile apps, but which encrypts data in the cloud-based trusted service used for mobile room key deployment and decrypts data in the door lock hardware is therefore strongly advisable. Such solutions apply so-called "end-to-end" hardware security.

The malicious transfer of ID-rights stored in software to another mobile device by cloning is also a serious concern. The security relevance of the mobile device is greatly reduced if it is online and connected to the management system whenever mobile ID rights need to be transferred to the device. In this situation, the actual ID-rights shall be stored in the management system and the smartphone shall only serve as a communication channel. Mitigation against a cloned smartphone can also be achieved by the management systems sending a transaction authorization via SMS, or by asking the user to enter a password, PIN or Touch ID fingerprint (so-called two factor authentication using something you possess and something you know).

Focus on security
The increasing focus of hacker organizations on Bluetooth-based locks means that it is more important than ever for hotels and other organizations using mobile keys to implement a mobile key service based on end-to-end hardware security.

LEGIC's end-to-end offering implements real hardware-based security using a reader IC with a bank level (EAL 5+) certified tamper resistant secure element in the lock and a hardware security module (HSM) in our trusted service. The secure element (SE) used by LEGIC has a secure environment for the key storage, for the cryptographic calculations as well as for the storage of the security and business critical software. This SE is similar to a crypto chip used for securing payment transactions at point-of-sale bank card payment terminals and is therefore highly secure. Furthermore, with LEGIC technology, no data encryption keys are stored in potentially vulnerable mobile apps, they only exist in the lock SE and in the trusted service HSMs. The app hack as demonstrated by Chaos Computer Club is therefore prevented.

For 25 years, LEGIC has been providing security solutions for the highest requirements. Its open technology platform is the perfect choice for secure communication and identification. The five components made up of LEGIC's cloud-based, secure trusted service, Mobile SDK, reader IC, smartcard IC as well as LEGIC's key and authorization management are seamlessly working together to provide a power­ful technology platform for secure mobile ID and IoT applications.

About LEGIC

LEGIC is a solution provider and expert for contactless identification by means of RFID, NFC, and Bluetooth Smart. Our open technology platform covers secure reader and smartcard ICs, the trusted service LEGIC Connect, an SDK for mobile apps as well as key and authorization management for the simple implementation and management of applications.

Our solution is characterized by scalable security, flexibility, simplicity, and investment protection. In the process, we accompany our customers with comprehensive consulting and support in use of the technology. Leading companies worldwide trust in our technology for employee identification, payment applications, campus cards as well as mobility and hotel solutions.

In the future, with our more than 20 years of experience, we will make the identification and communication of people and connected things in everyday life safer and less complicated.

John Harvey
Business Development Manager